lemonldap-ng issues
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues
2023-01-06T09:49:13Z
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2718
"Connected as" menu is broken on narrow screens
2023-01-06T09:49:13Z
Maxime Besson
"Connected as" menu is broken on narrow screens
### Concerned version
Version: 2.0.14
Chrome/Firefox
### Summary
* Resize your screen
* Try to open 2FA manage or refresh session
* The first click doesn't open the menu
* But the second click does:
![vokoscreenNG-2022-03-04_10-05-5...
### Concerned version
Version: 2.0.14
Chrome/Firefox
### Summary
* Resize your screen
* Try to open 2FA manage or refresh session
* The first click doesn't open the menu
* But the second click does:
![vokoscreenNG-2022-03-04_10-05-59](/uploads/60459e3ad77b1348817f0db13484398b/vokoscreenNG-2022-03-04_10-05-59.mp4)
### Possible fixes
This sub-menu is confusing and hard to find, even for wide-screen users, could we put these items in the main module bar ?
![image](/uploads/3c96e490213e9a85997754266ad3466f/image.png)
Antoine Rosier
Antoine Rosier
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2705
uwsgi breaks special characters display on portal
2023-07-27T09:50:11Z
Albert Rinceau
uwsgi breaks special characters display on portal
Hi,
with llng 2.0.13
recently I moved from llng-fastcgi-server to uWSGI but all special characters were not encoded anymore at display, on portal.
for example, ã gives é with uwsgi, but is well displayed with llng-fastcgi-server.
I...
Hi,
with llng 2.0.13
recently I moved from llng-fastcgi-server to uWSGI but all special characters were not encoded anymore at display, on portal.
for example, ã gives é with uwsgi, but is well displayed with llng-fastcgi-server.
I tried to write it up directly into tpl files instead of translation json file but the final results are the same in both case.
EDIT: As workaround, using HTML entities into translation json file looks working. (like replacing all 'è' by `è`)
3.0.0
Maxime Besson
Maxime Besson
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2699
configuration restore from json handles \u escape sequence incorrectly
2022-05-02T15:10:23Z
Benjamin Demarteau
configuration restore from json handles \u escape sequence incorrectly
### Concerned version
Version: 2.0.13-2.el8
Platform: httpd (Apache)
### Summary
We update the config from an ansible playbook by saving the config, patching it and loading it back. When we add values with UTF-8 characters, the next ...
### Concerned version
Version: 2.0.13-2.el8
Platform: httpd (Apache)
### Summary
We update the config from an ansible playbook by saving the config, patching it and loading it back. When we add values with UTF-8 characters, the next save shows garbled data.
### Logs
Nothing relevant
### Backends used
LDAP backend using OpenLDAP 2.4.46-18.el8.
### Possible fixes
Not sure where the characters get garbled, they are fine in the LDAP:
![image](/uploads/763e428e9ae8fa70a0bd0664ec6340ae/image.png)
The cache contains valid UTF-8:
```
00003b00 79 2c 52 61 64 69 75 73 00 00 00 00 0b 61 76 61 |y,Radius.....ava|
00003b10 69 6c 61 62 6c 65 32 46 04 03 00 00 00 04 04 03 |ilable2F........|
00003b20 00 00 00 02 17 13 49 6e 74 c3 a9 72 c3 aa 74 20 |......Int..r..t |
00003b30 47 c3 a9 6e c3 a9 72 61 6c 00 00 00 07 63 61 74 |G..n..ral....cat|
00003b40 6e 61 6d 65 0a 08 63 61 74 65 67 6f 72 79 00 00 |name..category..|
00003b50 00 04 74 79 70 65 00 00 00 08 30 30 30 31 2d 63 |..type....0001-c|
00003b60 61 74 04 03 00 00 00 05 0a 13 53 61 6d 70 6c 65 |at........Sample|
00003b70 20 61 70 70 6c 69 63 61 74 69 6f 6e 73 00 00 00 | applications...|
00003b80 07 63 61 74 6e 61 6d 65 08 8b 00 00 00 05 6f 72 |.catname......or|
```
Server responds with `Content-Type: application/json; charset=utf-8`, but clearly not:
![image](/uploads/1bbcc87f0dc59cd7fcd23f9bea4b1b01/image.png)
3.0.0
Maxime Besson
Maxime Besson
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2640
multiValuesSeparator is trimmed when set in manager
2022-05-02T19:20:15Z
Maxime Besson
multiValuesSeparator is trimmed when set in manager
### Concerned version
Version: 2.0.13
### Summary
* Set General param > advanced > separator to `, ` (with space) in manager
* using lmConfigEditor or something else, see that the value actually stored is `,` (no space)
### Concerned version
Version: 2.0.13
### Summary
* Set General param > advanced > separator to `, ` (with space) in manager
* using lmConfigEditor or something else, see that the value actually stored is `,` (no space)
3.0.0
Maxime Besson
Maxime Besson
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2611
Plugin checkState, combination and Kerberos
2023-09-22T14:13:29Z
Clément OUDOT
Plugin checkState, combination and Kerberos
Trying to use checkstate plugin (https://lemonldap-ng.org/documentation/latest/checkstate.html) with a setup using combination Kerberos/LDAP
Using a bad username works (the check fails) but a valid username and a bad password works.
Lo...
Trying to use checkstate plugin (https://lemonldap-ng.org/documentation/latest/checkstate.html) with a setup using combination Kerberos/LDAP
Using a bad username works (the check fails) but a valid username and a bad password works.
Logs just say authentication is valid:
```
[Thu Sep 9 17:25:08 2021] [LLNG:60228] [debug] Check configuration for Lemonldap::NG::Handler::PSGI::Main
[Thu Sep 9 17:25:08 2021] [LLNG:60228] [debug] Get configuration from cache without verification.
[Thu Sep 9 17:25:08 2021] [LLNG:60228] [debug] Lemonldap::NG::Handler::PSGI::Main: configuration is up to date
[Thu Sep 9 17:25:08 2021] [LLNG:60228] [info] No cookie found
[Thu Sep 9 17:25:08 2021] [LLNG:60228] [debug] Build URL https://auth.example.com/checkstate?secret=secret&user=coudot&password=test
[Thu Sep 9 17:25:08 2021] [LLNG:60228] [debug] Redirect 1.1.1.1 to portal (url was /checkstate?secret=secret&user=coudot&password=test)
[Thu Sep 9 17:25:08 2021] [LLNG:60228] [debug] User not authenticated, Try in use, cancel redirection
[Thu Sep 9 17:25:08 2021] [LLNG:60228] [debug] Start routing checkstate
[Thu Sep 9 17:25:08 2021] [LLNG:60228] [debug] Processing controlUrl
[Thu Sep 9 17:25:08 2021] [LLNG:60228] [debug] Processing code ref
[Thu Sep 9 17:25:08 2021] [LLNG:60228] [debug] Processing code ref
[Thu Sep 9 17:25:08 2021] [LLNG:60228] [debug] Launching ::Issuer::SAML::storeEnv
[Thu Sep 9 17:25:08 2021] [LLNG:60228] [debug] Processing getUser
[Thu Sep 9 17:25:08 2021] [LLNG:60228] [debug] Processing authenticate
[Thu Sep 9 17:25:08 2021] [LLNG:60228] [debug] -> authResult = 0
```
But no Kerberos ticket is sent here.
In discussion
Clément OUDOT
Clément OUDOT
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2556
Unable to use second factor with Kerberos authentication
2021-07-01T21:32:27Z
Clément OUDOT
Unable to use second factor with Kerberos authentication
When using Kerberos and a second factor, the Kerberos authentication fails and the screen to enter the OTP is not shown.
Some logs:
```
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Build URL https://xxxx/?kerberos=1
[Thu Jul 1 18:0...
When using Kerberos and a second factor, the Kerberos authentication fails and the screen to enter the OTP is not shown.
Some logs:
```
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Build URL https://xxxx/?kerberos=1
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Redirect xxxx to portal (url was /?kerberos=1)
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] User not authenticated, Try in use, cancel redirection
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Start routing default route
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Processing checkUnauthLogout
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Processing controlUrl
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Processing code ref
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Processing code ref
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Launching ::Issuer::SAML::storeEnv
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Processing extractFormInfo
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Kerberos ticket received: xxxx
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Set KRB5_KTNAME env to FILE:/etc/lemonldap-ng/xxxx.KEYTAB
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Processing getUser
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Processing authenticate
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] -> authResult = 0
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Processing setAuthSessionInfo
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Processing setSessionInfo
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Processing setMacros
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Processing setGroups
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Searching LDAP groups in ou=groups,xxxx for uid=xxxx
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Group search filter: (&(objectClass=groupOfNames)(|(member=uid=xxxx)))
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Processing setPersistentSessionInfo
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Persistent session found for xxxx
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Restore persistent parameter _loginHistory
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Restore persistent parameter _updateTime
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Processing setLocalGroups
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Processing store
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Store xxxx
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Try to get a new SSO session
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Return SSO session d138efbfce3c39d3848060724d1d5443979be09b422914a9887b0cee4a6530e8
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Looking if ext2F is available
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] -> OK
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Processing secondFactor
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Looking if ext2F is available
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] -> OK
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [info] Second factor required for xxxx
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] [info] Second factor required for xxxx
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Module Lemonldap::NG::Portal::Lib::OneTimeToken loaded
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Token 1625083574_62763 created
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Generated ext2f code : 059908
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Module Lemonldap::NG::Portal::Lib::OneTimeToken loaded
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Launching "Send" external 2F command -> /usr/local/bin/send_sms.sh $mobile $code
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Executing command: /usr/local/bin/send_sms.sh xxxx 059908
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Starting HTML generation using /usr/share/lemonldap-ng/portal/templates/avem/ext2fcheck.tpl
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Sending /usr/share/lemonldap-ng/portal/templates/avem/ext2fcheck.tpl
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Apply following CORS policy :
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Access-Control-Allow-Origin
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] *
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Access-Control-Allow-Credentials
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] true
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Access-Control-Allow-Headers
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] *
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Access-Control-Allow-Methods
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] POST,GET
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Access-Control-Expose-Headers
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] *
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Access-Control-Max-Age
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] 86400
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Apply following CSP : default-src 'self';img-src 'self' data:;style-src 'self';font-src 'self';connect-src 'self';script-src 'self';form-action *;frame-ancestors 'none';
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Prepare external 2F verification
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Returned status: -4 (PE_SENDRESPONSE)
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [info] No cookie found
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Build URL https://xxxx/?cancel=1&skin=xxxx
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Redirect xxxx to portal (url was /?cancel=1&skin=xxxx)
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] User not authenticated, Try in use, cancel redirection
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Start routing default route
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Processing checkUnauthLogout
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Processing restoreArgs
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Processing controlUrl
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Processing code ref
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Cancel called, push authCancel calls
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Processing code ref
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Launching ::Issuer::SAML::storeEnv
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Processing extractFormInfo
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [notice] Combination (Lemonldap::NG::Portal::Auth::Kerberos): Kerberos authentication has failed, back to portal
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] [notice] Combination (Lemonldap::NG::Portal::Auth::Kerberos): Kerberos authentication has failed, back to portal
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Store 0 in hidden key kerberos
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [info] Scheme "Kerberos" returned 5, trying next
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Processing extractFormInfo
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Prepare token
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Token 1625083575_27425 created
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Returned error: 9 (PE_FIRSTACCESS)
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Returned userId: anonymous
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Display type standardform
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Skin returned: login
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Calling sendHtml with template login
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Skin avem selected from GET/POST parameter
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Starting HTML generation using /usr/share/lemonldap-ng/portal/templates/avem/login.tpl
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Skin avem selected from GET/POST parameter
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Sending /usr/share/lemonldap-ng/portal/templates/avem/login.tpl
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Apply following CORS policy :
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Access-Control-Allow-Origin
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] *
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Access-Control-Allow-Credentials
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] true
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Access-Control-Allow-Headers
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] *
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Access-Control-Allow-Methods
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] POST,GET
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Access-Control-Expose-Headers
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] *
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Access-Control-Max-Age
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] 86400
3.0.0
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2540
XSS protection of CAS service parameter should be removed
2024-01-18T08:25:29Z
Maxime Besson
XSS protection of CAS service parameter should be removed
In #1795 we implemented a XSS check on the service= parameter of the CAS issuer (1a8948894d61e1f37dda5c95f2ea0a619545f5f6)
However this change breaks some applications, such as Ametys CMS, who generates login URLS that look like this:
...
In #1795 we implemented a XSS check on the service= parameter of the CAS issuer (1a8948894d61e1f37dda5c95f2ea0a619545f5f6)
However this change breaks some applications, such as Ametys CMS, who generates login URLS that look like this:
```
https://cms.example.com/plugins/core/authenticate/0?contexts=%2Fsites%2Fintranet%2C%2Fsites%2Ftest-projet-b%2C%2Fsites%2Ftest-ametys%2C%2Fsites%2Fcatalogue
```
Note: `%2C` is a legitimate separator in this context.
According to discussions in #1795, this check is meant to protect against tampering with the Location: header.
However, checkXSSAttack does NOT prevent header injection (it is supposed to prevent XSS in HTML documents, a completely different issue). You can try with the following example:
http://auth.example.com/cas/login?service=http://cas.example.com/test%0D%0AX-Test:%20inject%0D%0A
This attack is caught by
```
unless ( $service =~ m#^(https?://[^/]+)(/.*)?$# ) {
$self->logger->error("Bad service $service");
return PE_ERROR;
}
```
<details><summary>(click here to see what happens if I disable this code)</summary>
I'm surprised Plack does not protect you from this:
![image](/uploads/0e01c2040cb7a6992625fa20ebe3ecb8/image.png)
</details>
but this attack is NOT caught by
```
$service = '' if ( $self->p->checkXSSAttack( 'service', $service ) );
```
which makes this check counter-productive in my opinion
## Conclusion
Checking for XSS attacks should be only done for values that are displayed in HTML pages. For values used in Location: headers, we should only check:
* If they are properly formatted URLs (!185)
* If they are in the list of allowed redirection targets (trustedDomains, declared vhost, etc.)
3.0.0
Maxime Besson
Maxime Besson
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2507
LLNG 2.0.7 as SAML IDP : OneTimeUse flag set twice in conditions
2022-02-04T12:14:34Z
Claude LOISEAU
LLNG 2.0.7 as SAML IDP : OneTimeUse flag set twice in conditions
### Concerned version
Version: 2.0.7
### Summary
Setting "One time use" to On in service provider configuration cause an
erroneous condition tag to be sent :
<saml:Conditions NotBefore="2021-04-07T09:47:06Z"
NotOnOrAfter="2021-04-08T...
### Concerned version
Version: 2.0.7
### Summary
Setting "One time use" to On in service provider configuration cause an
erroneous condition tag to be sent :
<saml:Conditions NotBefore="2021-04-07T09:47:06Z"
NotOnOrAfter="2021-04-08T05:49:06Z">
<saml:AudienceRestriction>
<saml:Audience>xxxxxx</saml:Audience>
</saml:AudienceRestriction>
<saml:OneTimeUse/>
<saml:OneTimeUse/>
</saml:Conditions>
The tag OneTimeUse is set twice, so the SP rejects assertions.
Setting One time use to Off then the assertion is correctly consumed.
FAQ
Maxime Besson
Maxime Besson
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2470
confTimeout does not work in every case
2022-06-16T14:48:10Z
Maxime Besson
confTimeout does not work in every case
### Concerned version
Version: %2.0.11
Platform: Nginx+Fastcgi
### Summary
* Store your config in DBI
* Restart FastCGI
* Make sure the FastCGI process has an existing DB connection in netstat
* filter network traffic to your DB
* Tr...
### Concerned version
Version: %2.0.11
Platform: Nginx+Fastcgi
### Summary
* Store your config in DBI
* Restart FastCGI
* Make sure the FastCGI process has an existing DB connection in netstat
* filter network traffic to your DB
* Try to access the app
### Logs
```
Feb 19 12:22:47 lemontest LLNG[21390]: [debug] Check configuration for Lemonldap::NG::Handler::PSGI::Main
*stuck*
*Processes receives SIGALRM*
*Still stuck*
```
Strace shows SIGALRM is received but the syscall resumes
```
recvfrom(5, 0x55bb21c77c38, 16384, 0, NULL, NULL) = ? ERESTARTSYS (To be restarted if SA_RESTART is set)
--- SIGALRM {si_signo=SIGALRM, si_code=SI_KERNEL} ---
rt_sigreturn({mask=[]}) = -1 EINTR (Interrupted system call)
recvfrom(5,
```
### Possible fixes
* Make syscalls non resumable?
* :x: Use IO::Socket::Timeout ?
Backlog
Maxime Besson
Maxime Besson
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2370
Memory leak in Lasso when dumping object
2022-06-03T14:09:27Z
Maxime Besson
Memory leak in Lasso when dumping object
### Concerned version
Version: 2.0.9
Platform: (Nginx/Apache/Node.js)
### Summary
* Set up LLNG as a SAML Issuer with one SP
* Open a session, and benchmark a simple SAML login flow
* Watch memory rising steadily
### Logs
The main...
### Concerned version
Version: 2.0.9
Platform: (Nginx/Apache/Node.js)
### Summary
* Set up LLNG as a SAML Issuer with one SP
* Open a session, and benchmark a simple SAML login flow
* Watch memory rising steadily
### Logs
The main culprit in this particular flow is this code
```perl
if ( $login->is_session_dirty ) {
$self->logger->debug("Save Lasso session in session");
$self->p->updateSession( $req,
{ $self->lsDump => $login->get_session->dump },
$session_id );
}
```
Especialy `$login->get_session->dump`, it seems that Lasso will not release memory when the perl variable goes out of scope.
### Possible fixes
Needs further investigation
Backlog
Maxime Besson
Maxime Besson
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2358
OIDC: oidcchecksession and session data encoding
2023-02-07T07:42:21Z
Michael Bailly
OIDC: oidcchecksession and session data encoding
### Environment
LemonLDAP::NG version: 2.0.8
Operating system: Debian buster
Web server: NginX
### Summary
The iodcchecksession iFrame always return "changed" to the host web application.
### Possible fixes
The code to encode OIDC...
### Environment
LemonLDAP::NG version: 2.0.8
Operating system: Debian buster
Web server: NginX
### Summary
The iodcchecksession iFrame always return "changed" to the host web application.
### Possible fixes
The code to encode OIDC session state seems to differ between portal and oidcchecksession iframe.
Portal https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/blob/master/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm#L1608 :
```
my $data = $client_id . " " . $session_id . " " . $salt;
my $hash = sha256_base64($data);
```
JavaScript https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/blob/master/lemonldap-ng-portal/site/htdocs/static/common/js/oidcchecksession.js#L26-29 :
```javascript
client_id = decodeURIComponent(message.split(' ')[0]);
session_state = decodeURIComponent(message.split(' ')[1]);
salt = decodeURIComponent(session_state.split('.')[1]);
ss = btoa(client_id + ' ' + e.origin + ' ' + salt) + '.' + salt;
```
That has the effect of having JavaScript session state never match portal session state, and always returning **changed** to the host web application.
3.0.0
Yadd
Yadd
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2264
regression in mail reset in 2.0 : mail already sent does not work any more
2020-12-22T13:50:53Z
dcoutadeur dcoutadeur
regression in mail reset in 2.0 : mail already sent does not work any more
### Environment
LemonLDAP::NG version: 2.0.*
Operating system: Red-Hat 7.6
Web server: Apache 2.4.33
### Summary
regression in mail reset in 2.0 : mail already sent does not work any more
### Logs
Logs seem to be ok, mail already...
### Environment
LemonLDAP::NG version: 2.0.*
Operating system: Red-Hat 7.6
Web server: Apache 2.4.33
### Summary
regression in mail reset in 2.0 : mail already sent does not work any more
### Logs
Logs seem to be ok, mail already sent is correctly detected:
```
Reset mail already sent to ***
```
The error seems to be here:
```
# Return mail already sent only if it is allowed at previous step
if ( $self->conf->{portalErrorOnMailNotFound} ) {
$self->setSecurity($req);
return PE_MAILCONFIRMATION_ALREADY_SENT;
}
```
If I understand correctly, the logic should be reversed: if there is no "portalErrorOnMailNotFound", then we could send a message "mail already sent" to user. Am I right?
3.0.0
Maxime Besson
Maxime Besson
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2236
Default CSP value for script-src does not allow to load portal inline script
2020-06-16T08:08:32Z
Clément OUDOT
Default CSP value for script-src does not allow to load portal inline script
In portal we use inline script:
```
<script type="application/init">
{
"displaytab":"<TMPL_VAR NAME="DISPLAY_TAB">",
"choicetab":"<TMPL_VAR NAME="CHOICE_VALUE">",
"login":"<TMPL_VAR NAME="LOGIN">",
"newwindow":<TMPL_VAR NAME="NEWWI...
In portal we use inline script:
```
<script type="application/init">
{
"displaytab":"<TMPL_VAR NAME="DISPLAY_TAB">",
"choicetab":"<TMPL_VAR NAME="CHOICE_VALUE">",
"login":"<TMPL_VAR NAME="LOGIN">",
"newwindow":<TMPL_VAR NAME="NEWWINDOW" DEFAULT="0">,
"appslistorder":"<TMPL_VAR NAME="APPSLIST_ORDER">",
"scriptname":"<TMPL_VAR NAME="SCRIPT_NAME">",
"activeTimer":<TMPL_VAR NAME="ACTIVE_TIMER" DEFAULT="0">,
"pingInterval":<TMPL_VAR NAME="PING" DEFAULT="0">,
"trOver":<TMPL_VAR NAME="TROVER" DEFAULT="[]">
}
</script>
```
But default CSP for script-src is `'self'` so this inline script can't be executed.
We should either add `'unsafe-inline'`, or we could maybe compute a nonce to add more security (see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src)
In discussion
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2218
Manager can generates non unique application id in menu
2021-06-24T13:06:52Z
Clément OUDOT
Manager can generates non unique application id in menu
When creating a new application in menu from Manager, the application id is computed from application name.
If this application has the same name than an application in another category, then it will get the same id, which is possible a...
When creating a new application in menu from Manager, the application id is computed from application name.
If this application has the same name than an application in another category, then it will get the same id, which is possible as applications are sorted by categories in the application hash. But if you change the dislay rule of the first application, the second application will also be impacted, as they have the same id, and this id is removed from applications shown in the portal.
I am not sure on how to fix this...
3.0.0
Clément OUDOT
Clément OUDOT
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2187
Template translation uses nonstandard HTML attributes
2020-05-05T08:55:04Z
Maxime Besson
Template translation uses nonstandard HTML attributes
### Concerned version
Version: 2.0
### Summary
Currently we use attributes such as `trspan` and `trplaceholder` inside HTML templates
These attributes are reported by the W3 validator as nonstandard:
### Logs
https://validator.w3...
### Concerned version
Version: 2.0
### Summary
Currently we use attributes such as `trspan` and `trplaceholder` inside HTML templates
These attributes are reported by the W3 validator as nonstandard:
### Logs
https://validator.w3.org/nu/?doc=http%3A%2F%2Fauth.openid.club
* Error: Attribute trspan not allowed on element title at this point.
* Error: Attribute trplaceholder not allowed on element input at this point.
* etc.
### Possible fixes
We should probably be using "data-*" attributes instead:
https://html.spec.whatwg.org/multipage/dom.html#embedding-custom-non-visible-data-with-the-data-*-attributes
Doing so might break custom templates if we do it during the 2.0 cycle
3.0.0
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2186
abandonned authentication attempt interferes leads to mix-up of issuer contexts
2023-06-12T15:09:14Z
Maxime Besson
abandonned authentication attempt interferes leads to mix-up of issuer contexts
following the bugfix in #1939, the following scenario remains broken:
* Browse to Issuer 1
* Get redirected to login form
* Don't touch login form, browse to Issuer 2
* Get redirected to login form again
* This time, actually login
* LL...
following the bugfix in #1939, the following scenario remains broken:
* Browse to Issuer 1
* Get redirected to login form
* Don't touch login form, browse to Issuer 2
* Get redirected to login form again
* This time, actually login
* LLNG sends you to issuer 1
This works if issuer 1 and issuer 2 are the same type (CAS, OIDC or SAML), but not if issuer 1 and issuer 2 are different types.
3.0.0
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2112
Local session cache causing basic auth failures
2022-12-13T13:44:07Z
Chris A
Local session cache causing basic auth failures
### Concerned version
Version: %"2.0.7"
Platform: Nginx
### Summary
When using basic auth with a local session cache, basic auth will start to fail once a day for several minutes even though the backend authentication succeeds. It ...
### Concerned version
Version: %"2.0.7"
Platform: Nginx
### Summary
When using basic auth with a local session cache, basic auth will start to fail once a day for several minutes even though the backend authentication succeeds. It seems to be related to the local session cache keeping an expired session, and the local purge script cleans it up too late.
### Logs
```
Feb 20 20:03:08 janus LLNG[15821]: [notice] Good REST authentication for xxx
Feb 20 20:03:08 janus LLNG[15821]: [debug] [notice] Good REST authentication for xxx
Feb 20 20:03:08 janus LLNG[15821]: [debug] Get session b901f55522ea2b002d10ad57e2a1c2de8503b167ee84fa251906e14348e7a7cf from
Handler::Main::Run
Feb 20 20:03:08 janus LLNG[15821]: [debug] Check session validity from Handler
Feb 20 20:03:08 janus LLNG[15821]: [debug] Session timeout -> 72000
Feb 20 20:03:08 janus LLNG[15821]: [debug] Session _utime -> 1582156801
Feb 20 20:03:08 janus LLNG[15821]: [debug] now -> 1582228988
Feb 20 20:03:08 janus LLNG[15821]: [debug] Session timeoutActivityInterval -> 60
Feb 20 20:03:08 janus LLNG[15821]: [debug] Session TTL = -187
Feb 20 20:03:08 janus LLNG[15821]: [info] Session b901f55522ea2b002d10ad57e2a1c2de8503b167ee84fa251906e14348e7a7cf expired
```
### Backends used
LDAP is used for the authentication backend, and Redis is used as the session storage. The session cache was the file backend.
### Possible fixes
If I manually delete the session from the file cache while the issue is happening, it is fixed. I have since disabled the session cache entirely which has also fixed the issue.
(just as a side note for anyone trying this, the manager interface did not allow an empty field, so I had to set an empty value in the config file manually)
I'm not sure what a proper fix would be, but it seems that the basic auth handler could fall back to the main session database if it sees an expired entry and somehow refresh the expired session in the cache.
Backlog
Christophe Maudoux
chrmdx@gmail.com
Christophe Maudoux
chrmdx@gmail.com
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2023
Manage prompt=none in OIDC
2019-11-21T17:01:46Z
Clément OUDOT
Manage prompt=none in OIDC
Section 3.1.2 from OpenID Connect core specification
We should redirect when user is not authenticated
Section 3.1.2 from OpenID Connect core specification
We should redirect when user is not authenticated
3.0.0
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1981
Unable to deactivate "Force UTF-8" in SAML SP attribute configuration
2019-11-20T16:17:01Z
François Joulaud
Unable to deactivate "Force UTF-8" in SAML SP attribute configuration
### Concerned version
Version: %"1.9.22"
Platform: (Apache)
### Summary
When we unset "Force UTF-8" in "Authentication Response" section of SAML Service Provider configuration. Manager set samlSPMetaDataOptionsForceUTF8 to "0" but t...
### Concerned version
Version: %"1.9.22"
Platform: (Apache)
### Summary
When we unset "Force UTF-8" in "Authentication Response" section of SAML Service Provider configuration. Manager set samlSPMetaDataOptionsForceUTF8 to "0" but this has not the intended effect as the mere presence of the key activate UTF-8 re-encoding.
### Backends used
Configuration is stored in json files.
### Possible fixes
Probably a change somewhere here by checking the value of `$force_utf8` and not only the presence of the key:
```
sub createAttributeValue {
my ( $self, $value, $force_utf8 ) = @_;
my $saml2value;
$force_utf8 = 1 unless defined($force_utf8);
# Value is required
return unless defined $value;
# Decode UTF-8
$self->logger->debug("Decode UTF8 value $value") if $force_utf8;
$value = decode( "utf8", $value ) if $force_utf8;
```
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/blob/master/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/SAML.pm#L2915
In discussion
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1886
mysql and MariaDB DBI UserBackend UTF8 encoding
2022-05-02T15:12:54Z
Andreas Deschka
mysql and MariaDB DBI UserBackend UTF8 encoding
### Concerned version
Version: %2.0.5
Platform: (Nginx)
### Summary
Variables read out of Maria DB database are not UTF8-encoded
In the Database there is for example "Österreich". The Ö will appear as question mark in the session va...
### Concerned version
Version: %2.0.5
Platform: (Nginx)
### Summary
Variables read out of Maria DB database are not UTF8-encoded
In the Database there is for example "Österreich". The Ö will appear as question mark in the session variable.
Tables, columns in the database are encoded in utf8mb4.
I used dbi:mysql and dbi:MariaDB. Neither worked.
For dbi:mysql I added in the connect command the option to enable utf8mb4:
```
DBI->connect_cached(
$conf->{dbiAuthChain}, $conf->{dbiAuthUser},
# setting mysql_enable_utf8mb4 does not seem to help
$conf->{dbiAuthPassword}, { RaiseError => 1, mysql_enable_utf8mb4 => 1 }
);
```
For dbi:MariaDB the change resulted in an error.
When I added the following line before `$req->{sessionInfo}->{$var} =$req->data->{entry2}->{$attr}` in NG/Portal/UserDB/DBI.pm it worked correctly
```
utf8::encode( $req->data->{entry}->{$attr} );
```
Maybe I am missing something with setting up the configuration. I use the coudot/lemonldap-ng:2.0.5 docker image.
### Backends used
Database is MariaDB version 10.3.15.
FAQ