lemonldap-ng issues
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues
2017-12-21T11:16:42Z
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1334
Logout does not work in the CDA context with multiple servers
2017-12-21T11:16:42Z
Guillaume VANEECLOO
Logout does not work in the CDA context with multiple servers
Hello,
I have an architecture with multiple servers, one dedicated to lemonldap-ng portal (SSO server) and another dedicaded to my application (WAS server).
My application can be accessed by severals URLs with different domains.
First,...
Hello,
I have an architecture with multiple servers, one dedicated to lemonldap-ng portal (SSO server) and another dedicaded to my application (WAS server).
My application can be accessed by severals URLs with different domains.
First, when I log in to my application by URL in same domain than lemonldap-ng portal, the log out works well. However, I notice that the session is purged from the local cache on SSO server but not on WAS server but the logout working because cookie is cleared.
Then, when I log in to my application by URL in a different domain than lemonldap-ng portal (CDA context), the log out doesn't work although the session is purged from the local cache on SSO server.
I had a look to the code and I think a
```perl
$session->remove;
```
is missing in package Lemonldap/NG/Handler/Main.pm in method localUnlog.
I did some tests and it seems to solve my problem.
I use lemonldap-ng 1.9.14.
In discussion
Clément OUDOT
Clément OUDOT
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/9
[SAML] Partner metadata auto-refresh
2019-06-05T16:41:45Z
Clément OUDOT
[SAML] Partner metadata auto-refresh
We should be able to configure metadata auto-refresh, trough a cron job
We should be able to configure metadata auto-refresh, trough a cron job
3.0.0
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/23
Simplified Manager interface
2017-12-05T18:36:04Z
Yadd
Simplified Manager interface
From older GForge bugtracker :
En s'appuyant sur le système des groupes, on peut créer une interface simplifiée de gestion ou l'administrateur n'aurait qu'à choisir la liste des groupes autorisés à accéder à une partie de site.
From older GForge bugtracker :
En s'appuyant sur le système des groupes, on peut créer une interface simplifiée de gestion ou l'administrateur n'aurait qu'à choisir la liste des groupes autorisés à accéder à une partie de site.
Backlog
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/38
[SAML] Manage ECP (Enhanced Client or Proxy)
2020-10-25T20:56:55Z
Clément OUDOT
[SAML] Manage ECP (Enhanced Client or Proxy)
Backlog
Clément OUDOT
Clément OUDOT
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/39
[SAML] Authentication authority
2017-12-05T18:36:04Z
Clément OUDOT
[SAML] Authentication authority
LemonLDAP::NG IDP will also be an SAML2 authentication authority.
LemonLDAP::NG IDP will also be an SAML2 authentication authority.
Backlog
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/48
[SAML][IDP] Manage consent
2017-12-05T18:36:04Z
Clément OUDOT
[SAML][IDP] Manage consent
We should ask consent to user if consent was previously obtained from SP.
We should ask consent to user if consent was previously obtained from SP.
Backlog
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/59
RRD database for handlers (status)
2017-12-05T18:36:04Z
Yadd
RRD database for handlers (status)
The status process provides datas that must be collected by another process (like mrtg). The idea here is to store those datas into an RRD and display it with a little CGI (parameter : RRDstatus => /somewhere/db.rrd). It could be used wi...
The status process provides datas that must be collected by another process (like mrtg). The idea here is to store those datas into an RRD and display it with a little CGI (parameter : RRDstatus => /somewhere/db.rrd). It could be used with or without status=>1
Backlog
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/60
Squid handler
2020-01-30T12:53:52Z
Yadd
Squid handler
In some cases, using Squid can be more interresting than Apache for reverse-proxies. Using the same interface than SquidGuard, it seems be possible to build a handler
In some cases, using Squid can be more interresting than Apache for reverse-proxies. Using the same interface than SquidGuard, it seems be possible to build a handler
3.0.0
Yadd
Yadd
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/158
[SAML] NameID Management
2017-12-05T18:36:05Z
Clément OUDOT
[SAML] NameID Management
NameID Management is required for IDP/SP SAML2 conformance, but not mandatory for IDP/SP Lite SAML2 conformance.
NameID Management is required for IDP/SP SAML2 conformance, but not mandatory for IDP/SP Lite SAML2 conformance.
Backlog
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/219
Auth & UserDBSympa
2017-12-05T18:36:05Z
Yadd
Auth & UserDBSympa
Use Sympa database as backends
Use Sympa database as backends
Backlog
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/290
Dynamic output filters are not called on /
2017-12-05T18:36:05Z
Clément OUDOT
Dynamic output filters are not called on /
We use sometimes output filter, injected dynamically (with $r->add_output_filter), for example to manage logout or form replay. Recently I used this with the SecureToken Handler.
But it seems we have a little bug. The output filter is a...
We use sometimes output filter, injected dynamically (with $r->add_output_filter), for example to manage logout or form replay. Recently I used this with the SecureToken Handler.
But it seems we have a little bug. The output filter is always called, except if the URI is '/'. It is maybe a side effect of DocumentIndex? I will try to send a mail to mod_perl users mailing list to get more information.
This is not a critical bug, as our filters are often executed on URI not equal to '/'.
Backlog
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/321
Use references from URI regexp in rules
2020-01-29T07:04:56Z
Clément OUDOT
Use references from URI regexp in rules
The idea is to catch a string in the uri to be used in the rule, like :
```
/groupe-(\d+) => $groups =~ /groupe$1/
```
This need to be done in all modules that use the "grant" function. Seems not really easy, planning this for a la...
The idea is to catch a string in the uri to be used in the rule, like :
```
/groupe-(\d+) => $groups =~ /groupe$1/
```
This need to be done in all modules that use the "grant" function. Seems not really easy, planning this for a later release
3.0.0
Yadd
Yadd
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/372
Check XMLSec vulnerability within Lasso integration
2019-10-14T16:15:37Z
Clément OUDOT
Check XMLSec vulnerability within Lasso integration
Le mercredi 26 octobre 2011 à 08:53 +0200, Clément OUDOT a écrit :
- Masquer le texte des messages précédents -
> 2011/10/25 Mikaël Ates <mates@entrouvert.com>:
> > Hello Clément,
> >
> > Thank you to have post this alert on the list.
> ...
Le mercredi 26 octobre 2011 à 08:53 +0200, Clément OUDOT a écrit :
- Masquer le texte des messages précédents -
> 2011/10/25 Mikaël Ates <mates@entrouvert.com>:
> > Hello Clément,
> >
> > Thank you to have post this alert on the list.
> >
> > The encrypted elements with W3C XMLEnc handled in Lasso are
> > EncryptedAssertion and EncryptedID. The material for EncryptedAttribute
> > is present but not yet used in the assertion processing. So I limit my
> > answer to these two elements for the SAML2 Authnrequests for now.
> >
> > The attack described [1] is based on the decryption server used as an
> > oracle.
> >
> > So the first thing is that the signature verification first prevent to
> > treat crafted messages for entities other that the IdPs trusted by the
> > SP:
> > - response signature is checked before assertion decryption
> > - assertion signature is checked before nameId decryption
> >
> > So we may consider this threat limited to rogue IdPs. For instance a
> > rogue IdP intercepts a response provided to an SP by a third IdP and use
> > the SP as an oracle to decrypt it.
> >
> > The attack relies on the Oracle answers, especially on an XMLEnc error
> > message given when there is a padding error or an invalid character in
> > plain text. The advise given by authors is thus to provide unified error
> > messages to mislead oracle functions. That means that a same error
> > message returned should cover the XMLEnc security error and application
> > level errors.
> >
> > Lasso relies on xmlsec as an implementation of XMLEnc. The samlxec
> > function xmlSecEncCtxDecrypt() is used, which returns a negative value
> > if an error occurs, error including a padding error or an invalid
> > character in the plain text decrypted.
> >
> > Lasso uses the decryption function lasso_node_decrypt_xmlnode() that
> > returns LASSO_DS_ERROR_DECRYPTION_FAILED if the xmlsec function
> > xmlSecEncCtxDecrypt() returns a negative value. This error is also
> > returned by lasso_node_decrypt_xmlnode() when there is no encryption
> > method in encryptionData, a missing Algorithm, an unknown encryption
> > method or a missing encrypted key node.
> >
> > When Lasso tries to decrypt assertions it handles multiple encrypted
> > assertions. And if at least one assertion can be decrypted, no error is
> > raised. If no assertion is decrypted, because for each assertion, there
> > is an error in:
> > - a missing key,
> > - a malformed xml sec element,
> > - a lasso_node_decrypt_xmlnode() error,
> > - a malformed assertion,
> > it results in a missing assertion in the response, the error
> > LASSO_PROFILE_ERROR_MISSING_ASSERTION is returned by Lasso. How this
> > error is handled is implementation dependant.
> >
> > When Lasso tries to decrypt an EncryptedID element, if xmlsec returns an
> > error, Lasso returns LASSO_DS_ERROR_DECRYPTION_FAILED. How this error is
> > handled is implementation dependant.
> >
> > In both case, this should result in a not qualified error message given
> > in the HTTP response to the browser.
> >
> > Hope it helps,
>
>
>
> Hi Michael,
>
> thanks a lot for this very sharp answer, but as I am really not an
> XMLSec expert, I just understand that the only impact for Lasso is
> that it will return a LASSO_DS_ERROR_DECRYPTION_FAILED error. So, for
> softwares using Lasso, nothing to do if we already manage Lasso
> errors?
Hi,
The implementations using Lasso must take care that:
1- With encrypted assertions, response should be signed.
2- When the authnresponse processing fails, the kind of error should not
be returned in the HTTP response given to the browser.
Backlog
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/388
prompt custom info at session opening
2019-10-14T20:52:23Z
FX Deltombe
prompt custom info at session opening
It would be interesting to prompt some custom messages to users just before redirecting them, and to manage the rules in manager.
Assume $portal->{promptInfoRules} looks like { condition => message, ...},
for example
{
$star...
It would be interesting to prompt some custom messages to users just before redirecting them, and to manage the rules in manager.
Assume $portal->{promptInfoRules} looks like { condition => message, ...},
for example
{
$startTime =~ /^\d{4}$birthday\d{6}$/ => "Happy Birthday, $firstname !",
!$telephonNumber => "You should fill in your telephon number <a href='xxx'>here</a>"
}
Backlog
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/451
[SAML] Choose SLO method in IDP configuration
2019-10-14T16:18:11Z
Clément OUDOT
[SAML] Choose SLO method in IDP configuration
We may want to override choices from metadata and set the SLO method we want to use between a SP and an IDP.
See #397
We may want to override choices from metadata and set the SLO method we want to use between a SP and an IDP.
See #397
Backlog
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/764
Reset password by SMS
2019-11-21T16:49:07Z
Clément OUDOT
Reset password by SMS
Reset password by SMS, using a SMS webservice.
Reset password by SMS, using a SMS webservice.
Backlog
Christophe Maudoux
chrmdx@gmail.com
Christophe Maudoux
chrmdx@gmail.com
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/452
Merge infoFormMethod, confirmFormMethod and redirectFormMethod
2017-12-05T18:36:13Z
Clément OUDOT
Merge infoFormMethod, confirmFormMethod and redirectFormMethod
See #422, we now have 3 configuration parameters for form method. We have to analyze if they can be merged in one. Will need a lot of tests with Notifications and SAML.
See #422, we now have 3 configuration parameters for form method. We have to analyze if they can be merged in one. Will need a lot of tests with Notifications and SAML.
Backlog
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/462
WebFinger as new UserDB
2019-04-23T08:07:40Z
Yadd
WebFinger as new UserDB
Webfinger is a new protocol (used by Diaspora) used to publish user's datas [http://hueniverse.com/2009/08/introducing-webfinger/]. It could be used as UserDB (in conjonction with AuthOpenID for example).
Webfinger is a new protocol (used by Diaspora) used to publish user's datas [http://hueniverse.com/2009/08/introducing-webfinger/]. It could be used as UserDB (in conjonction with AuthOpenID for example).
In discussion
Yadd
Yadd
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/779
Error with Multiple userDB
2018-12-04T08:23:39Z
Valérie Bauche
Error with Multiple userDB
Authentication module is SAML v2
UserDB module is Multi => LDAP;Null
When userDB succeed on LDAP it's Ok, but when it fails there is an infinite loop between SP and IDP :
\[warn] No SP found in configuration
\[warn] Lemonldap::NG : joh...
Authentication module is SAML v2
UserDB module is Multi => LDAP;Null
When userDB succeed on LDAP it's Ok, but when it fails there is an infinite loop between SP and IDP :
\[warn] No SP found in configuration
\[warn] Lemonldap::NG : john.doe@bull.net was not found in LDAP directory (192.168.37.1)
\[error] SSO request or response was not found
\[warn] No SP found in configuration
\[warn] Lemonldap::NG : john.doe@bull.net was not found in LDAP directory (192.168.37.1)
\[error] SSO request or response was not found
\[warn] No SP found in configuration
\[warn] Lemonldap::NG : john.doe@bull.net was not found in LDAP directory (192.168.37.1)
\[error] SSO request or response was not found
...
There is a temporary solution to avoid this error :
patch AuthSAML.pm, line 358 :
```
# This should not happen
$self->lmLog( "SSO request or response was not found", 'error' );
+ return PE_OK;
+
# Redirect user
$self->{mustRedirect} = 1;
return $self->_subProcess(qw(autoRedirect));
```
Backlog
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/480
Floating menu is not localized
2018-08-08T21:21:14Z
Daniel B.
Floating menu is not localized
The floating menu is great, but texts Home and Logout are hardcoded. Would it be possible to localize this ?
The floating menu is great, but texts Home and Logout are hardcoded. Would it be possible to localize this ?
Backlog
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/482
Rules for maintenance mode
2019-11-21T17:36:36Z
Daniel B.
Rules for maintenance mode
The new maintenance mode is a great idea, but it would be better if it was possible to enable it with specific rules, for example, we could set:
$groups !~ /\badmins\b/
so users get the maintenance message, but members of the admins gr...
The new maintenance mode is a great idea, but it would be better if it was possible to enable it with specific rules, for example, we could set:
$groups !~ /\badmins\b/
so users get the maintenance message, but members of the admins group can upgrade the app and check everything is OK before removing the maintenance mode.
3.0.0
Yadd
Yadd
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1005
Choice module breaks OpenID Connect and other methods requesting URL params
2017-12-05T18:36:13Z
James Hook
Choice module breaks OpenID Connect and other methods requesting URL params
When using the Choice module for authentication a parameter for URL is provided allowing for a different address to authenticate.
However when using an OpenID Connect Rlay (and possibly other methods) which redirect to a page such as /oa...
When using the Choice module for authentication a parameter for URL is provided allowing for a different address to authenticate.
However when using an OpenID Connect Rlay (and possibly other methods) which redirect to a page such as /oauth2/... the URL given drops these params.
This means the first login of the day will fail to redirect correctly.
I fixed this by patching line 201 of /usr/share/perl5/Lemonldap/NG/Portal_Choice.pm to have the following:
```
--- ./_Choice.pm.hookbak 2016-05-04 17:40:01.000000000 +1200
+++ ./_Choice.pm 2016-05-04 17:39:38.000000000 +1200
@@ -198,6 +198,7 @@
# Default URL
$url ||= "#";
+ $url =~ s/\$REQUEST_URI/$ENV{"REQUEST_URI"} . $ENV{"QUERY_STRING"}/g;
# Options to store in the loop
my $optionsLoop =
{code}
This then allows for the url to contain $REQUEST_URI.
In our case we use Kerberos via apache and LDAP as a fallback, (based on http://lemonldap-ng.org/documentation/1.3/authapache )
To allow this patch to work, The choice module has LDAP and Kerberos. LDAP is the default settings, Kerberos has the url now set to:
/krb.pl$REQUEST_URI
Apache configs:
{code}
# OpenID Connect Issuer
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP:Authorization} .
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteRule ^(/krb.pl)?/oauth2/.* /index.pl
RewriteRule ^/.well-known/openid-configuration$ /openid-configuration.pl
</IfModule>
```
And issuerDBOpenIDConnectPath inside the manager is now set to:
^(/krb.pl)?/oauth2/
This will only fix OpenID Connect.
In discussion
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/525
Better manage notifications to display
2019-10-14T16:21:00Z
FX Deltombe
Better manage notifications to display
LL::NG portal loads notifications to display on a strange way :
* it loads all notifications concerning the user or all user (regardless if they are done),
* then it generates html for all these notifications (which is quite a heavy job)...
LL::NG portal loads notifications to display on a strange way :
* it loads all notifications concerning the user or all user (regardless if they are done),
* then it generates html for all these notifications (which is quite a heavy job)
* then, for each notification, it checks if it must be displayed or not (because already done, or because condition does not match)
* and it loads all notifications into session data, regardless if they are displayed.
It would be much more thrifty
* to generate html only for notifications which are displayed
* not to store any notification into session data (it doesn't seem to be used anywhere)
Besides, it would save memory to share XSLT parser object between apache threads, instead of recreating each time a use is authenticated.
Backlog
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/526
Support for System for Cross-domain Identity Management (SCIM)
2019-11-21T16:46:41Z
Edward Beuerlein
Support for System for Cross-domain Identity Management (SCIM)
SCIM seems to be a new protocol that is being rapidly adopted by Google, Ping Identity and others. It would be a great addition for LemonLDAP-NG to support it as well. Their main website: http://www.simplecloud.info/
SCIM seems to be a new protocol that is being rapidly adopted by Google, Ping Identity and others. It would be a great addition for LemonLDAP-NG to support it as well. Their main website: http://www.simplecloud.info/
Backlog
Yadd
Yadd
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1021
UserDB Twitter
2018-12-04T08:26:53Z
Clément OUDOT
UserDB Twitter
With the access token from AuthTwitter, we can write a UserDBTwitter by calling the https://dev.twitter.com/rest/reference/get/account/verify_credentials OAuth endpoint.
With the access token from AuthTwitter, we can write a UserDBTwitter by calling the https://dev.twitter.com/rest/reference/get/account/verify_credentials OAuth endpoint.
Backlog
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/791
attribute duplication in specific module and in general exported variables re...
2017-12-05T18:36:13Z
dcoutadeur dcoutadeur
attribute duplication in specific module and in general exported variables results in empty variable
For example, if I define cn both in LDAP module variable and in exported variable manager section, it results in cn=empty.
This bug was reported by someone I know, it must be reproduced for confirmation.
If reproduced, it must be check...
For example, if I define cn both in LDAP module variable and in exported variable manager section, it results in cn=empty.
This bug was reported by someone I know, it must be reproduced for confirmation.
If reproduced, it must be checked that a lemonldap upgrade can or cannot lead to this problem.
In discussion
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/610
Sympa 6 Auto login
2017-12-05T18:36:13Z
Florian Praden
Sympa 6 Auto login
Hi,
Since Sympa v6.0, the sharing of the sympa auth is no more possible via the cookie
See: http://www.sympa.org/manual_6.0/authentication#sharing_wwsympa_s_authentication_with_other_applications
For now, I added a new handler to do ...
Hi,
Since Sympa v6.0, the sharing of the sympa auth is no more possible via the cookie
See: http://www.sympa.org/manual_6.0/authentication#sharing_wwsympa_s_authentication_with_other_applications
For now, I added a new handler to do it, which interact directly with the Sympa database.
Sympa6AutoLogin.pm and SympaSession.pm (which is a copy (part of it) of the Sympa perl module)
SympaHandler is the handler to adapt to config.
It's in alpha state.
Another possibility for a "near" future: https://sourcesup.cru.fr/tracker/index.php?func=detail&aid=4056&group_id=23&atid=170
Best,
--
Florian
Backlog
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/797
Configuration format 2.0
2017-12-05T18:36:14Z
Yadd
Configuration format 2.0
Our configuration format has some little flaws. This page can store some ideas for a new format.
Change kinematics :
* new conf has a format key : format => '2.0'
* if format isn't set, warn + call old lib
Our configuration format has some little flaws. This page can store some ideas for a new format.
Change kinematics :
* new conf has a format key : format => '2.0'
* if format isn't set, warn + call old lib
Backlog
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1032
single logout accross SAML and OpenID Connect protocols
2023-02-01T13:27:57Z
dcoutadeur dcoutadeur
single logout accross SAML and OpenID Connect protocols
There is a protocol bridge for SSO, but I noticed there is not always for SLO.
In particular, I have tested the following use cases.
It implies 3 different actors :
- a LemonLDAP::NG as SAML IdP and OIC provider,
- a LemonLDAP::NG OIC R...
There is a protocol bridge for SSO, but I noticed there is not always for SLO.
In particular, I have tested the following use cases.
It implies 3 different actors :
- a LemonLDAP::NG as SAML IdP and OIC provider,
- a LemonLDAP::NG OIC RP
- a SAML SP
||logout from / actor||IdP||SAML SP||OIC RP||
|logout from IdP|{color:green}OK{color}|{color:green}OK{color}|{color:red}KO{color}|
|logout from SAML SP|{color:green}OK{color}|{color:green}OK{color}|{color:red}KO{color}|
|logout from OIC RP|{color:green}OK{color}|{color:red}KO{color}|{color:green}OK{color}|
# Could we imagine a push disconnect on RP ? (I don't think it is provided by OIC protocol, is it ?)
# Why does SP disconnection does not occur when logout initiated from RP ? (whereas SP disconnection occurs when initiated from IdP)
Backlog
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/624
WebID identity provider (FOAF document hosting)
2017-12-05T18:36:14Z
Yadd
WebID identity provider (FOAF document hosting)
WebID uses certificates that points to an URL, which publish a FOAF document (and the public key for verification).
We can provide a IssuerDBWebID that will build FOAF document using session datas (must include a certificate).
A SOAP se...
WebID uses certificates that points to an URL, which publish a FOAF document (and the public key for verification).
We can provide a IssuerDBWebID that will build FOAF document using session datas (must include a certificate).
A SOAP service will provide uniq URL that have to be included in subjectAlternativeName certificates. Perhaps can we include an app in menu to get a WebID certificate.
Uniq URL will be like <portal>/webidp/<crypt($whatToTrace)>/me.rdf so datas are protected, anonymous user must know the URL before reading personal datas
Backlog
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1051
support advanced integration for saml sso on chrome devices
2020-10-25T20:56:13Z
Glenn Mcgurrin
support advanced integration for saml sso on chrome devices
add support for advanced integration for saml sso on chrome devices to ease login on chromebooks via lemonldap. See the url below for google's documentation regarding this:
https://www.chromium.org/administrators/advanced-integration-fo...
add support for advanced integration for saml sso on chrome devices to ease login on chromebooks via lemonldap. See the url below for google's documentation regarding this:
https://www.chromium.org/administrators/advanced-integration-for-saml-sso-on-chrome-devices
Backlog
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/809
Reset password by questions
2019-11-21T17:45:09Z
Clément OUDOT
Reset password by questions
Backlog
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/696
Hide unwanted categories
2017-12-05T18:36:14Z
Jessy Campos
Hide unwanted categories
Now the user can order the categories as he wants. He should be able to hide some of them. ( like a retractable menu maybe )
Now the user can order the categories as he wants. He should be able to hide some of them. ( like a retractable menu maybe )
Backlog
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/697
LL::NG not working properly with Novell eDirectory
2018-12-04T08:28:08Z
Jessy Campos
LL::NG not working properly with Novell eDirectory
I'm working with a Novell eDirectory. The authentication works fine with LDAP settings, but the Password change does not. I found a working code here http://support.novell.com/techcenter/articles/dnd20030504.html. But LL::NG doesn't hand...
I'm working with a Novell eDirectory. The authentication works fine with LDAP settings, but the Password change does not. I found a working code here http://support.novell.com/techcenter/articles/dnd20030504.html. But LL::NG doesn't handle the password change and the eDirectory error codes.
Backlog
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1066
XEP-0070 (XMPP) authentication
2017-12-05T18:36:14Z
Clément OUDOT
XEP-0070 (XMPP) authentication
Seems like an OTP authentication, see https://linuxfr.org/news/authentifiez-vous-sans-mot-de-passe-grace-a-xmpp
Seems like an OTP authentication, see https://linuxfr.org/news/authentifiez-vous-sans-mot-de-passe-grace-a-xmpp
Backlog
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/812
Manage individual claims in OpenID Connect
2019-11-21T16:49:56Z
Clément OUDOT
Manage individual claims in OpenID Connect
The protocol allows to request individual claims: https://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter
The protocol allows to request individual claims: https://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter
Backlog
Clément OUDOT
Clément OUDOT
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/724
option updateCache to LL::NG::Common::Session::update
2017-12-05T18:36:14Z
FX Deltombe
option updateCache to LL::NG::Common::Session::update
It would be usefull to have an option updateCache to LL::NG::Common::Session::update, that would be
* -1 in order not to update cache
* 0 in order to update cache only on the current server (this is the current behaviour)
* 1 in order to...
It would be usefull to have an option updateCache to LL::NG::Common::Session::update, that would be
* -1 in order not to update cache
* 0 in order to update cache only on the current server (this is the current behaviour)
* 1 in order to update cache on all servers
* 2 in order to update cache on the current server but not session backend (for local macros)
It would allow to insert local macros with a high-level function, insead of handling session cache by hand, as now (by the way, this makes cached objects unavailable - well, this is a bug).
The way to implement updateCache = 1 was discussed in ##712.
Backlog
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1111
GUI Accessibility for people with visual disabilities
2020-04-14T13:42:38Z
Antoine Rosier
GUI Accessibility for people with visual disabilities
Web Accessibility Audit reveals non accessible elements for people with low vision.
Tags, Attributes and Headings :
The connexion history page (menu.tpl) should contain table headings <thead> and <caption>, <thead> tags, more scope attr...
Web Accessibility Audit reveals non accessible elements for people with low vision.
Tags, Attributes and Headings :
The connexion history page (menu.tpl) should contain table headings <thead> and <caption>, <thead> tags, more scope attribute on the tag.
Everything is in module Simple.pm
For example :
```
<table>
<caption>Dernières connexions</caption>
<thead>
<tr>
<th scope="col">Date</th>
<th scope="col">Adresse IP</th>
<th scope="col">Mode d'authentification</th>
</tr>
</thead>
<tbody>
<tr>
<td>25/10/2016 12:01:13</td>
<td>10.192.53.158</td>
<td>par mot de passe</td>
</tr>
</tbody>
</table>
```
3.0.0
Antoine Rosier
Antoine Rosier
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/814
Uniformisation of state management
2018-12-04T08:33:16Z
Clément OUDOT
Uniformisation of state management
We use a state in SAML, CAS and OIDC. Some code can be shared to manage this.
We use a state in SAML, CAS and OIDC. Some code can be shared to manage this.
Backlog
Yadd
Yadd
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1112
Manager accessibility for people with visual disabilities
2017-12-05T18:36:14Z
Yadd
Manager accessibility for people with visual disabilities
Distinct ticket from ##1111, will be resolved later
Distinct ticket from ##1111, will be resolved later
Backlog
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1124
Bad type for oidcRPMetaDataOptionsIDTokenSignAlg
2017-12-05T18:36:14Z
Yadd
Bad type for oidcRPMetaDataOptionsIDTokenSignAlg
oidcRPMetaDataOptionsIDTokenSignAlg is declared as "select" in Manager::Build::Attributes but documentation indicates a list of algorithms.
oidcRPMetaDataOptionsIDTokenSignAlg is declared as "select" in Manager::Build::Attributes but documentation indicates a list of algorithms.
In discussion
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1142
Make LemonLDAP::NG pass OpenID Connect certification tests
2018-11-28T11:35:38Z
Clément OUDOT
Make LemonLDAP::NG pass OpenID Connect certification tests
I give a try to http://openid.net/certification/testing/
Some tests are ok, other not. I will trace in this issue the changes that need to be done to get the certification.
I give a try to http://openid.net/certification/testing/
Some tests are ok, other not. I will trace in this issue the changes that need to be done to get the certification.
3.0.0
Clément OUDOT
Clément OUDOT
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/844
Use an avatar service to display user photo in portal
2019-11-21T17:46:46Z
Clément OUDOT
Use an avatar service to display user photo in portal
Libravatar (https://www.libravatar.org/) is a free service that displays user photo from its email.
Libravatar (https://www.libravatar.org/) is a free service that displays user photo from its email.
Backlog
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/869
Logout forward doesn't work on Firefox version 23 or later
2018-11-28T12:51:04Z
Philippe Baye
Logout forward doesn't work on Firefox version 23 or later
"Logout Forward" feature is built with iframe (sourcing configured logout URL).
But by default, Firefox (from 23 version), blocks mixed contents (http/https)
This is set with configuration parameter "security.mixed_content.block_active...
"Logout Forward" feature is built with iframe (sourcing configured logout URL).
But by default, Firefox (from 23 version), blocks mixed contents (http/https)
This is set with configuration parameter "security.mixed_content.block_active_content=true"
So, if LL::NG Portal URL is on HTTPS, none logout request is sent for applications where logout URL is defined on HTTP.
Replace "iframe" by "img" prevents changing Firefox configuration (security.mixed_content.block_active_content=false)
In discussion
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/933
Secondary portal URL
2023-11-13T13:34:00Z
Alexander Shabaev
Secondary portal URL
Hello!
We have a proxy server with OTP to secure users connecting to LAN services from Internet.
Lemoldap portal using as second proxy to authenticate user with LDAP.
But LL redirecting users that connecting to inner site to portal.inne...
Hello!
We have a proxy server with OTP to secure users connecting to LAN services from Internet.
Lemoldap portal using as second proxy to authenticate user with LDAP.
But LL redirecting users that connecting to inner site to portal.innerdomain.ru, that is not known by External DNS.
Can I set up secondary URL for portal like portal.ru to authenticate external users or I must create secondary portal with something like remote authentication?
In discussion
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/977
Problem with accents characters in SOAP Requests
2018-12-04T08:29:39Z
Richard Phan
Problem with accents characters in SOAP Requests
Hi,
I have a critical bug, I use SOAP for using sessions, but, when there are accents in sessions information, the handlers send increasingly large POST requests to /index.pl/adminSessions :
```
lemonldap [11/Mar/2016:14:52:16 +0100] "...
Hi,
I have a critical bug, I use SOAP for using sessions, but, when there are accents in sessions information, the handlers send increasingly large POST requests to /index.pl/adminSessions :
```
lemonldap [11/Mar/2016:14:52:16 +0100] "POST /index.pl/adminSessions HTTP/1.1" 200 146080 "-" "SOAP::Lite/Perl/1.1"
lemonldap [11/Mar/2016:14:52:41 +0100] "POST /index.pl/adminSessions HTTP/1.1" 200 146080 "-" "SOAP::Lite/Perl/1.1"
lemonldap [11/Mar/2016:14:53:41 +0100] "POST /index.pl/adminSessions HTTP/1.1" 200 277152 "-" "SOAP::Lite/Perl/1.1"
lemonldap [11/Mar/2016:14:54:51 +0100] "POST /index.pl/adminSessions HTTP/1.1" 200 539296 "-" "SOAP::Lite/Perl/1.1"
lemonldap [11/Mar/2016:14:56:01 +0100] "POST /index.pl/adminSessions HTTP/1.1" 200 1063584 "-" "SOAP::Lite/Perl/1.1"
lemonldap [11/Mar/2016:14:57:02 +0100] "POST /index.pl/adminSessions HTTP/1.1" 200 2112160 "-" "SOAP::Lite/Perl/1.1"
lemonldap [11/Mar/2016:14:57:16 +0100] "POST /index.pl/adminSessions HTTP/1.1" 200 4209312 "-" "SOAP::Lite/Perl/1.1"
lemonldap [11/Mar/2016:14:58:07 +0100] "POST /index.pl/adminSessions HTTP/1.1" 200 4209312 "-" "SOAP::Lite/Perl/1.1"
lemonldap [11/Mar/2016:14:59:32 +0100] "POST /index.pl/adminSessions HTTP/1.1" 200 8403616 "-" "SOAP::Lite/Perl/1.1"
lemonldap [11/Mar/2016:14:59:37 +0100] "POST /index.pl/adminSessions HTTP/1.1" 200 8403616 "-" "SOAP::Lite/Perl/1.1"
lemonldap [11/Mar/2016:15:01:48 +0100] "POST /index.pl/adminSessions HTTP/1.1" 200 16792224 "-" "SOAP::Lite/Perl/1.1"
lemonldap [11/Mar/2016:15:01:54 +0100] "POST /index.pl/adminSessions HTTP/1.1" 200 16792224 "-" "SOAP::Lite/Perl/1.1"
lemonldap [11/Mar/2016:15:02:51 +0100] "POST /index.pl/adminSessions HTTP/1.1" 200 33569440 "-" "SOAP::Lite/Perl/1.1"
lemonldap [11/Mar/2016:15:02:46 +0100] "POST /index.pl/adminSessions HTTP/1.1" 200 33569440 "-" "SOAP::Lite/Perl/1.1"
lemonldap [11/Mar/2016:15:03:35 +0100] "POST /index.pl/adminSessions HTTP/1.1" 200 33569440 "-" "SOAP::Lite/Perl/1.1"
lemonldap [11/Mar/2016:15:03:28 +0100] "POST /index.pl/adminSessions HTTP/1.1" 200 33569440 "-" "SOAP::Lite/Perl/1.1"
lemonldap [11/Mar/2016:15:02:40 +0100] "POST /index.pl/adminSessions HTTP/1.1" 200 33569440 "-" "SOAP::Lite/Perl/1.1"
lemonldap [11/Mar/2016:15:03:22 +0100] "POST /index.pl/adminSessions HTTP/1.1" 200 33569440 "-" "SOAP::Lite/Perl/1.1"
...
```
A request SOAP size may exceed 60 MB !
I dump all my mysql request and here is a request extract which show the problem when contain a accent is replace by strange repeat characters :
```
UPDATE sessions SET a_session = '^E ^Y\0\0\0\0^_^D^Y\0\0\0\0^A^D^B\0\0\0^E^D^Y\0\0\0\0^B^W\rXXX.XX.XXX.XX^B\0\0\0^FipAddr^W\n1456741132^B\0\0\0^F_utime^D^Y\0\0\0\0^B^W\rXXX.XX.XXX.XX^B\0\0\0^FipAddr^W\n1455876018^B\0\0\
0^F_utime^D^Y\0\0\0\0^B^W\rXXX.XX.XXX.XX^B\0\0\0^FipAddr^W\n1455874416^B\0\0\0^F_utime^D^Y\0\0\0\0^B^W\rXXX.XX.XXX.XX^B\0\0\0^FipAddr^W\n1455793697^B\0\0\0^F_utime^D^Y\0\0\0\0^B^W\rXXX.XX.XXX.XX^B\0\0\0^FipAddr^W\n1455712268^B\0\0\
0^F_utime^B\0\0\0^LsuccessLogin^B\0\0\0^LloginHistory^A\0\0^B^KJosÃ<U+0083>Â<U+0083>Ã<U+0082>Â<U+0083>Ã<U+0083>Â<U+0082>Ã<U+0082>Â<U+0083>Ã<U+0083>Â<U+0083>Ã<U+0082>Â<U+0082>Ã<U+0083>Â<U+0082>Ã<U+0082>Â<U+0083>Ã<U+0083>Â
<U+0083>Ã<U+0082>Â<U+0083>Ã<U+0083>Â<U+0082>Ã<U+0082>Â<U+0082>Ã<U+0083>Â<U+0083>Ã<U+0082>Â<U+0082>Ã<U+0083>Â<U+0082>Ã<U+0082>Â<U+0083>Ã<U+0083>Â<U+0083>Ã<U+0082>Â<U+0083>Ã<U+0083>Â<U+0082>Ã<U+0082>Â<U+0083>Ã<U+0083>Â<U+0083>Ã<U+0082>Â
<U+0082>Ã<U+0083>Â<U+0082>Ã<U+0082>Â<U+0082>Ã<U+0083>Â<U+0083>Ã<U+0082>Â<U+0083>Ã<U+0083>Â<U+0082>Ã<U+0082>Â<U+0082>Ã<U+0083>Â<U+0083>Ã<U+0082>Â<U+0082>Ã<U+0083>Â<U+0082>Ã<U+0082>Â<U+0083>Ã<U+0083>Â<U+0083>Ã<U+0082>Â<U+0083>Ã<U+0083>Â
<U+0082>Ã<U+0082>Â<U+0083>Ã<U+0083>Â<U+0083>Ã<U+0082>Â<U+0082>Ã<U+0083>Â<U+0082>Ã<U+0082>Â<U+0083>Ã<U+0083>Â<U+0083>Ã<U+0082>Â<U+0083>Ã<U+0083>Â<U+0082>Ã<U+0082>Â<U+0082>Ã<U+0083>Â<U+0083>Ã<U+0082>Â<U+0082>Ã<U+0083>Â<U+0082>Ã<U+0082>Â
<U+0082>Ã<U+0083>Â<U+0083>Ã<U+0082>Â<U+0083>Ã<U+0083>Â<U+0082>Ã<U+0082>Â<U+0083>Ã<U+0083>Â<U+0083>Ã<U+0082>Â<U+0082>Ã<U+0083>Â<U+0082>Ã<U+0082>Â<U+0082>Ã<U+0083>Â<U+0083>Ã<U+0082>Â<U+0083>Ã<U+0083>Â<U+0082>Ã<U+0082>Â<U+0082>Ã<U+0083>Â
<U+0083>Ã<U+0082>Â<U+0082>Ã<U+0083>Â<U+0082>Ã<U+0082>...
```
As you see, the word José is remplaced by JosÃ<U+0083>Â<U+0083>Ã<U+0082>...
Any Idea ?
Regards
In discussion
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1153
Edge is unable to show the manager site
2017-12-05T18:36:14Z
Michael Goldfinger
Edge is unable to show the manager site
When opening the management site with Edge I got the error shown on the screenshot and no menu is shown on the left site.
With Firefox the same site shows just fine.
When opening the management site with Edge I got the error shown on the screenshot and no menu is shown on the left site.
With Firefox the same site shows just fine.
Backlog
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/982
CPAN Tests fails for Lemonldap-NG-Handler
2017-12-05T18:36:14Z
Clément OUDOT
CPAN Tests fails for Lemonldap-NG-Handler
See for example http://www.cpantesters.org/cpan/report/3c076310-eeaf-11e5-a54c-72f12867457e
```
# Failed test 'use Lemonldap::NG::Handler::Reload;'
# at t/01-Lemonldap-NG-Handler-Main.t line 13.
# Tried to use 'Lemonldap::NG::H...
See for example http://www.cpantesters.org/cpan/report/3c076310-eeaf-11e5-a54c-72f12867457e
```
# Failed test 'use Lemonldap::NG::Handler::Reload;'
# at t/01-Lemonldap-NG-Handler-Main.t line 13.
# Tried to use 'Lemonldap::NG::Handler::Reload'.
# Error: Can't locate Crypt/Rijndael.pm in @INC (you may need to install the Crypt::Rijndael module) (@INC contains: /home/smoker/.cpan/build/Lemonldap-NG-Handler-1.9.0-9WfX7U/blib/lib /home/smoker/.cpan/build/Lemonldap-NG-Handler-1.9.0-9WfX7U/blib/arch /home/smoker/.cpan/build/Apache-Session-1.93-CgGkg9/blib/arch /home/smoker/.cpan/build/Apache-Session-1.93-CgGkg9/blib/lib /home/smoker/.cpan/build/SOAP-Lite-1.19-yOFk7q/blib/arch /home/smoker/.cpan/build/SOAP-Lite-1.19-yOFk7q/blib/lib /home/smoker/.cpan/build/HTML-Template-2.95-MzfoMr/blib/arch /home/smoker/.cpan/build/HTML-Template-2.95-MzfoMr/blib/lib /home/smoker/.cpan/build/Lemonldap-NG-Common-1.9.0-m1TDwz/blib/arch /home/smoker/.cpan/build/Lemonldap-NG-Common-1.9.0-m1TDwz/blib/lib /home/smoker/perl5/lib/perl5/5.23.8/x86_64-linux /home/smoker/perl5/lib/perl5/5.23.8/x86_64-linux /home/smoker/perl5/lib/perl5/5.23.8 /home/smoker/perl5/lib/perl5/x86_64-linux /home/smoker/perl5/lib/perl5/5.23.8/x86_64-linux /home/smoker/perl5/lib/perl5/5.23.8 /home/smoker/perl5/lib/perl5/x86_64-linux /home/smoker/perl5/lib/perl5 /home/smoker/.cpan/build/Apache-Session-1.93-CgGkg9/blib/arch /home/smoker/.cpan/build/Apache-Session-1.93-CgGkg9/blib/lib /home/smoker/.cpan/build/SOAP-Lite-1.19-yOFk7q/blib/arch /home/smoker/.cpan/build/SOAP-Lite-1.19-yOFk7q/blib/lib /home/smoker/.cpan/build/HTML-Template-2.95-MzfoMr/blib/arch /home/smoker/.cpan/build/HTML-Template-2.95-MzfoMr/blib/lib /home/smoker/.cpan/build/Lemonldap-NG-Common-1.9.0-m1TDwz/blib/arch /home/smoker/.cpan/build/Lemonldap-NG-Common-1.9.0-m1TDwz/blib/lib /home/smoker/perl5/lib/perl5/5.23.8/x86_64-linux /home/smoker/perl5/lib/perl5/5.23.8 /home/smoker/perl5/lib/perl5/x86_64-linux /home/smoker/perl5/lib/perl5 /home/smoker/perl5/perlbrew/perls/perl-5.23.8/lib/site_perl/5.23.8/x86_64-linux /home/smoker/perl5/perlbrew/perls/perl-5.23.8/lib/site_perl/5.23.8 /home/smoker/perl5/perlbrew/perls/perl-5.23.8/lib/5.23.8/x86_64-linux /home/smoker/perl5/perlbrew/perls/perl-5.23.8/lib/5.23.8 .) at /home/smoker/.cpan/build/Lemonldap-NG-Common-1.9.0-m1TDwz/blib/lib/Lemonldap/NG/Common/Crypto.pm line 12.
# BEGIN failed--compilation aborted at /home/smoker/.cpan/build/Lemonldap-NG-Common-1.9.0-m1TDwz/blib/lib/Lemonldap/NG/Common/Crypto.pm line 12.
# Compilation failed in require at /home/smoker/.cpan/build/Lemonldap-NG-Handler-1.9.0-9WfX7U/blib/lib/Lemonldap/NG/Handler/Reload.pm line 12.
# BEGIN failed--compilation aborted at /home/smoker/.cpan/build/Lemonldap-NG-Handler-1.9.0-9WfX7U/blib/lib/Lemonldap/NG/Handler/Reload.pm line 12.
# Compilation failed in require at t/01-Lemonldap-NG-Handler-Main.t line 13.
# BEGIN failed--compilation aborted at t/01-Lemonldap-NG-Handler-Main.t line 13.
# Looks like you planned 10 tests but ran 2.
# Looks like you failed 1 test of 2 run.
# Looks like your test exited with 25 just after 2.
t/01-Lemonldap-NG-Handler-Main.t .........
Dubious, test returned 25 (wstat 6400, 0x1900)
Failed 9/10 subtests
t/02-Lemonldap-NG-Handler-Main-Portal.t .. ok
```
Dependency to Crypt::Rijndael seems missing.
In discussion
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1154
Let the user choose a login name when registering an account
2020-05-08T15:31:53Z
Michael Goldfinger
Let the user choose a login name when registering an account
I found no way to let users enter there login names. The login names instead are constructed from first and last name.
So if the name is Michael Goldfinger the login name will be mgoldfinger. But I like to choose freely.
If this is not p...
I found no way to let users enter there login names. The login names instead are constructed from first and last name.
So if the name is Michael Goldfinger the login name will be mgoldfinger. But I like to choose freely.
If this is not possible please consider this a feature request
Backlog
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/990
High performance portal
2017-12-05T18:36:14Z
Yadd
High performance portal
Create a special skin, full javascript with HTML-5 manifest mechanism :
* all templates contains only the manifest link and a javascript to load (so it stays always in cache)
* JS calls {{process()/display()}} in Ajax mode and load stati...
Create a special skin, full javascript with HTML-5 manifest mechanism :
* all templates contains only the manifest link and a javascript to load (so it stays always in cache)
* JS calls {{process()/display()}} in Ajax mode and load static HTML sub-files for all cases
So network will just have a very few packets after the first use
Backlog
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1167
Manage multi tenancy (multi tenant) with Apache
2018-02-07T13:07:54Z
Clément OUDOT
Manage multi tenancy (multi tenant) with Apache
We already discussed about this feature. The goal is to have one LL::NG installation that can be used for several tenants (clients/domains/etc.)
I think the work that is needed is:
* Be able to set the lemonldap-ng.ini file to use as an...
We already discussed about this feature. The goal is to have one LL::NG installation that can be used for several tenants (clients/domains/etc.)
I think the work that is needed is:
* Be able to set the lemonldap-ng.ini file to use as an environment variable in Nginx/Apache virtual hosts
* Be able to separate caches between tenant, maybe be having the tenant ID as primary cache level
With different lemonldap-ng.ini per tenant, it is then really easy to isolate configuration/sessions for each tenant.
Backlog
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1180
Have a unique user variable for logs
2017-12-05T18:36:14Z
Clément OUDOT
Have a unique user variable for logs
See issue #1145
We need a single variable to display user in logs
See issue #1145
We need a single variable to display user in logs
Backlog
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1182
Cache management in high disponibility configuration
2019-12-18T15:47:51Z
Joseph Beaufils
Cache management in high disponibility configuration
Hello,
In high disponibility configuration (2 LLN nodes), when we call logout we stay connected on one node because of sessions local cache.
Is there a way to resolve this better than setting refresh cache time to 0 ?
Same question fo...
Hello,
In high disponibility configuration (2 LLN nodes), when we call logout we stay connected on one node because of sessions local cache.
Is there a way to resolve this better than setting refresh cache time to 0 ?
Same question for configuration local cache...
Thank you for your help.
Best regards,
Joseph
Backlog
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1198
Portal web services to declare existing skins and backgrounds
2017-12-05T18:36:14Z
Clément OUDOT
Portal web services to declare existing skins and backgrounds
To have a better way to configure portal skins and backgrounds in Manager, I think we can have a simple REST service that will return list of skins and background, by scanning file on disk.
For skins, each skin could have a little scree...
To have a better way to configure portal skins and backgrounds in Manager, I think we can have a simple REST service that will return list of skins and background, by scanning file on disk.
For skins, each skin could have a little screenshot image in its directory. For backgrounds, we can display directly the background image, like it is done today.
This will allow to create custom skins and backgrounds and configure them directly in Manager.
Backlog
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1221
Chinese translation
2017-12-05T18:36:14Z
Yadd
Chinese translation
Chinese translation started on https://www.transifex.com/lemonldapng/lemonldapng/dashboard/
Chinese translation started on https://www.transifex.com/lemonldapng/lemonldapng/dashboard/
Backlog
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1226
Do not use flags for changing languages
2017-12-05T18:36:14Z
Yadd
Do not use flags for changing languages
As explain [by W3C|https://www.w3.org/International/questions/qa-link-lang#flags], it is recommended to not use flags for indicating languages.
Any better idea ?
As explain [by W3C|https://www.w3.org/International/questions/qa-link-lang#flags], it is recommended to not use flags for indicating languages.
Any better idea ?
In discussion
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1240
Access rules redirection with nginx
2017-12-05T18:36:14Z
Ismael Dupras
Access rules redirection with nginx
I try to use logout_sso with an url to redirect after logout and it doesn’t work do you have any idea why ?
I try to use logout_sso with an url to redirect after logout and it doesn’t work do you have any idea why ?
In discussion
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1246
Manager authentification problem + error 403 with ldap authentification
2017-12-05T18:36:14Z
Damien Rocher
Manager authentification problem + error 403 with ldap authentification
Dear,
I have a problem with my LDAP authentification. I follow exactly the tutorial. In fact, when i connect on auth portal, I'm not recognized to administrator account. I can't open my manager and i meet a 403 error.
Any people have s...
Dear,
I have a problem with my LDAP authentification. I follow exactly the tutorial. In fact, when i connect on auth portal, I'm not recognized to administrator account. I can't open my manager and i meet a 403 error.
Any people have solution about this ? Or recommandation ?
(I'm new in this type of infrastructure)
FAQ
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1275
FailOver mode - For last configuration
2017-12-05T18:36:15Z
Mathieu Lecompte-melançon
FailOver mode - For last configuration
The idea is in some desaster recovery plan we will want to get NGINX/LLNG up before any SGBD/NOSQL serveur. So in some case, the configuration database(mongo in our case) is offline at start of LLNG.
What we suggest, is to keep a loca...
The idea is in some desaster recovery plan we will want to get NGINX/LLNG up before any SGBD/NOSQL serveur. So in some case, the configuration database(mongo in our case) is offline at start of LLNG.
What we suggest, is to keep a local copy of the lastest push config in a File, and if LLNG fail to retrive the config from it's main source, it's fall back to te lastest config file...
Indeed in case of FailOver, no save change are permitted in Manager, and manger will show in read-only the current config or propose to try back the loading config from the main config server. If working, the serveur reload it's configuration and take a normal state.
This feature it's perfect when we use in LLNG overs Fail-Over NGINX to ensure evry could start and configuration is the same on every instance of LLNG
Backlog
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1276
FailOver mode - For globalStorage (session)
2017-12-05T18:36:15Z
Mathieu Lecompte-melançon
FailOver mode - For globalStorage (session)
Is case of disaster recovery plan, or simply maintenance.
We would like a failover-mode in case of SGBd is'not reachable during exploration of SGBD.
After X attempt of connection or a manual switch form the manager, LLNG should be ...
Is case of disaster recovery plan, or simply maintenance.
We would like a failover-mode in case of SGBd is'not reachable during exploration of SGBD.
After X attempt of connection or a manual switch form the manager, LLNG should be able to fail over session storage in a local File system.
Some time we want to update/check our SGB and we could have to bring those down for some minute/hours. We suggestion that when happen LLNG switch in failover mode, make a annoncement in the main login page ( FailOver mode ON - Some feature could be unavailable) and ask again for a new sessions.
To switch back in normal mode, the main globale storage should be available and be activate from the manager page by a config push to ensure every node of LLNG is in normal mode
In discussion
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1283
Is it possible to pass token cookie over a get URL?
2017-12-05T18:36:15Z
Mathieu Lecompte-melançon
Is it possible to pass token cookie over a get URL?
in this case, we have an third part application (Word) who triing to open a document over a site protected and authenticated by LLNG. Everytime i try to get result we obtain in wod the login script. It normal as there no cookie defined ...
in this case, we have an third part application (Word) who triing to open a document over a site protected and authenticated by LLNG. Everytime i try to get result we obtain in wod the login script. It normal as there no cookie defined in word.
the idea is to pass token in the URL like: document.php?id=12345&token=sjahl4uiyqwe
That way when Word will try to get document it will work as long the token is valid and not expired.
In our case we try an AOS intégration of Alfresco/Word
In discussion
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1284
FORM Replay - NGinx integration via LUA
2018-11-28T13:26:56Z
Mathieu Lecompte-melançon
FORM Replay - NGinx integration via LUA
Related to #1192.
It,s was said in the below tickek ,that was the static way of NGINX who not allow the dynamic injection.
As you already use lua integration to render dynamicly header.
You could exploit lua for injecting code dir...
Related to #1192.
It,s was said in the below tickek ,that was the static way of NGINX who not allow the dynamic injection.
As you already use lua integration to render dynamicly header.
You could exploit lua for injecting code directly in page.
https://github.com/openresty/lua-nginx-module#body_filter_by_lua
3.0.0
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1311
Previous values not saved in Manager
2018-03-20T07:56:00Z
dcoutadeur dcoutadeur
Previous values not saved in Manager
Theses previous values could randomly not be saved into the Manager:
- combination modules
- saml private/public key
Deploying the values tree in the manager seem to prevent the error
Theses previous values could randomly not be saved into the Manager:
- combination modules
- saml private/public key
Deploying the values tree in the manager seem to prevent the error
In discussion
Yadd
Yadd
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1335
[OIDC] Probable bug with scope
2017-12-15T07:54:13Z
Florian Thoni
[OIDC] Probable bug with scope
Using last stable version 1.9.14 (apache version), I am activly using openid connect service proposed.
I would like that userinfo and jwt return to me more information than simply "sub".
I tried then to change the "scope" from openid t...
Using last stable version 1.9.14 (apache version), I am activly using openid connect service proposed.
I would like that userinfo and jwt return to me more information than simply "sub".
I tried then to change the "scope" from openid to a standard or a custom scope (custom = one I create in the manager) and I see that whatever the scope I put but openid, instead of getting the consent page or to be redirected, it presents me the portal page.
Thank you
![image](/uploads/97de46dc3b0637debbe17f9aa531fd31/image.png)
![image](/uploads/fc53390a50941f57a4d416642297dba8/image.png)
FAQ
Clément OUDOT
Clément OUDOT
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1354
Lasso errors on Debian
2018-01-19T10:27:36Z
Clément OUDOT
Lasso errors on Debian
We face some critical errors with Lasso on Debian systems, like:
```
GLib-GObject-WARNING **: cannot register existing type 'LassoNode' at
/usr/share/perl/5.20/XSLoader.pm line 117.
GLib-GObject-CRITICAL **: g_type_register_static: asser...
We face some critical errors with Lasso on Debian systems, like:
```
GLib-GObject-WARNING **: cannot register existing type 'LassoNode' at
/usr/share/perl/5.20/XSLoader.pm line 117.
GLib-GObject-CRITICAL **: g_type_register_static: assertion
'parent_type > 0' failed at /usr/share/perl/5.20/XSLoader.pm line 117.
GLib-GObject-CRITICAL **: g_type_register_static: assertion
'parent_type > 0' failed at /usr/share/perl/5.20/XSLoader.pm line 117.
```
A mail has been sent to Lasso team: http://listes.entrouvert.com/wwsympa.fcgi/arc/lasso/2018-01/msg00000.html
Seems there is no issue with Lasso on RHEL 7: https://mail.ow2.org/wws/arc/lemonldap-ng-users/2018-01/msg00011.html
FAQ
Clément OUDOT
Clément OUDOT
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1374
LemonLDAP randomly turns in demonstration mode
2018-10-08T07:44:48Z
Mickael Bride
LemonLDAP randomly turns in demonstration mode
This occured 2 times in our production environment.
After making an action on the manager IHM (adding a new SAML identity provider), and saving the new configuration, LemonLDAP suddenly turns in demonstration mode.
A restart of Apache wa...
This occured 2 times in our production environment.
After making an action on the manager IHM (adding a new SAML identity provider), and saving the new configuration, LemonLDAP suddenly turns in demonstration mode.
A restart of Apache was required to retrieve the normal behavior.
Here are the Apache logs during the issue when someone try to authenticate:
```
[Mon Feb 12 15:00:02.700765 2018] [perl:debug] [pid 30330] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Now using configuration: 110
[Mon Feb 12 15:00:02.700897 2018] [perl:debug] [pid 30330] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Module Lemonldap::NG::Portal::Menu loaded
[Mon Feb 12 15:00:02.700956 2018] [perl:debug] [pid 30330] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Module Lemonldap::NG::Portal::Display loaded
[Mon Feb 12 15:00:02.701021 2018] [perl:debug] [pid 30330] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Module Lemonldap::NG::Portal::AuthDemo loaded
[Mon Feb 12 15:00:02.701347 2018] [perl:debug] [pid 30330] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Module Lemonldap::NG::Portal::UserDBMulti loaded
[Mon Feb 12 15:00:02.701410 2018] [perl:debug] [pid 30330] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Module Lemonldap::NG::Portal::PasswordDBLDAP loaded
[Mon Feb 12 15:00:02.701754 2018] [perl:debug] [pid 30330] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Module Lemonldap::NG::Portal::RegisterDBDemo loaded
[Mon Feb 12 15:00:02.702006 2018] [perl:debug] [pid 30330] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: [IssuerDB activation] Try issuerDB module SAML
[Mon Feb 12 15:00:02.702018 2018] [perl:debug] [pid 30330] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: [IssuerDB activation] Activation flag set to off, trying next
[Mon Feb 12 15:00:02.702025 2018] [perl:debug] [pid 30330] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: [IssuerDB activation] Try issuerDB module OpenID
[Mon Feb 12 15:00:02.702031 2018] [perl:debug] [pid 30330] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: [IssuerDB activation] Activation flag set to off, trying next
[Mon Feb 12 15:00:02.702037 2018] [perl:debug] [pid 30330] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: [IssuerDB activation] Try issuerDB module CAS
[Mon Feb 12 15:00:02.702043 2018] [perl:debug] [pid 30330] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: [IssuerDB activation] Activation flag set to off, trying next
[Mon Feb 12 15:00:02.702049 2018] [perl:debug] [pid 30330] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: [IssuerDB activation] Try issuerDB module OpenIDConnect
[Mon Feb 12 15:00:02.702055 2018] [perl:debug] [pid 30330] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: [IssuerDB activation] Activation flag set to off, trying next
[Mon Feb 12 15:00:02.702060 2018] [perl:debug] [pid 30330] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: [IssuerDB activation] Try issuerDB module Get
[Mon Feb 12 15:00:02.702066 2018] [perl:debug] [pid 30330] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: [IssuerDB activation] Activation flag set to off, trying next
[Mon Feb 12 15:00:02.702156 2018] [perl:debug] [pid 30330] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Module Lemonldap::NG::Portal::IssuerDBNull loaded
[Mon Feb 12 15:00:02.702169 2018] [perl:debug] [pid 30330] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: [IssuerDB activation] IssuerDB module Null loaded
[Mon Feb 12 15:00:02.702233 2018] [perl:debug] [pid 30330] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Module Lemonldap::NG::Portal::_SOAP loaded
[Mon Feb 12 15:00:02.702351 2018] [perl:debug] [pid 30330] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: processing to sub controlUrlOrigin
[Mon Feb 12 15:00:02.702417 2018] [perl:debug] [pid 30330] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: processing to sub checkNotifBack
[Mon Feb 12 15:00:02.702429 2018] [perl:debug] [pid 30330] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: processing to sub controlExistingSession
[Mon Feb 12 15:00:02.702474 2018] [perl:debug] [pid 30330] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: processing to sub issuerDBInit
[Mon Feb 12 15:00:02.702492 2018] [perl:debug] [pid 30330] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: processing to sub authInit
[Mon Feb 12 15:00:02.702536 2018] [perl:debug] [pid 30330] CGI.pm(114): /usr/share/perl5/vendor_perl/Lemonldap/NG/Portal/AuthDemo.pm 42:
[Mon Feb 12 15:00:02.702544 2018] [perl:warn] [pid 30330] Using demonstration mode, go in Manager to edit the configuration
[Mon Feb 12 15:00:02.702552 2018] [perl:debug] [pid 30330] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: processing to sub issuerForUnAuthUser
[Mon Feb 12 15:00:02.702568 2018] [perl:debug] [pid 30330] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: processing to sub extractFormInfo
[Mon Feb 12 15:00:02.702654 2018] [perl:debug] [pid 30330] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Use customized message for error 9
[Mon Feb 12 15:00:02.702730 2018] [perl:debug] [pid 30330] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Display type standardform
```
Here are the Apache logs when it correctly works:
```
[Mon Feb 12 15:00:52.380004 2018] [perl:debug] [pid 24364] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Now using configuration: 110
[Mon Feb 12 15:00:52.380112 2018] [perl:debug] [pid 24364] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Module Lemonldap::NG::Portal::Menu loaded
[Mon Feb 12 15:00:52.380166 2018] [perl:debug] [pid 24364] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Module Lemonldap::NG::Portal::Display loaded
[Mon Feb 12 15:00:52.380231 2018] [perl:debug] [pid 24364] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Module Lemonldap::NG::Portal::AuthMulti loaded
[Mon Feb 12 15:00:52.380284 2018] [perl:debug] [pid 24364] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Module Lemonldap::NG::Portal::UserDBMulti loaded
[Mon Feb 12 15:00:52.380335 2018] [perl:debug] [pid 24364] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Module Lemonldap::NG::Portal::PasswordDBLDAP loaded
[Mon Feb 12 15:00:52.380623 2018] [perl:debug] [pid 24364] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Module Lemonldap::NG::Portal::RegisterDBDemo loaded
[Mon Feb 12 15:00:52.380826 2018] [perl:debug] [pid 24364] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: [IssuerDB activation] Try issuerDB module SAML
[Mon Feb 12 15:00:52.380837 2018] [perl:debug] [pid 24364] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: [IssuerDB activation] Activation flag set to off, trying next
[Mon Feb 12 15:00:52.380843 2018] [perl:debug] [pid 24364] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: [IssuerDB activation] Try issuerDB module OpenID
[Mon Feb 12 15:00:52.380849 2018] [perl:debug] [pid 24364] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: [IssuerDB activation] Activation flag set to off, trying next
[Mon Feb 12 15:00:52.380854 2018] [perl:debug] [pid 24364] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: [IssuerDB activation] Try issuerDB module CAS
[Mon Feb 12 15:00:52.380868 2018] [perl:debug] [pid 24364] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: [IssuerDB activation] Activation flag set to off, trying next
[Mon Feb 12 15:00:52.380874 2018] [perl:debug] [pid 24364] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: [IssuerDB activation] Try issuerDB module OpenIDConnect
[Mon Feb 12 15:00:52.380880 2018] [perl:debug] [pid 24364] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: [IssuerDB activation] Activation flag set to off, trying next
[Mon Feb 12 15:00:52.380886 2018] [perl:debug] [pid 24364] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: [IssuerDB activation] Try issuerDB module Get
[Mon Feb 12 15:00:52.380891 2018] [perl:debug] [pid 24364] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: [IssuerDB activation] Activation flag set to off, trying next
[Mon Feb 12 15:00:52.380968 2018] [perl:debug] [pid 24364] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Module Lemonldap::NG::Portal::IssuerDBNull loaded
[Mon Feb 12 15:00:52.380979 2018] [perl:debug] [pid 24364] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: [IssuerDB activation] IssuerDB module Null loaded
[Mon Feb 12 15:00:52.381035 2018] [perl:debug] [pid 24364] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Module Lemonldap::NG::Portal::_SOAP loaded
[Mon Feb 12 15:00:52.381139 2018] [perl:debug] [pid 24364] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: processing to sub controlUrlOrigin
[Mon Feb 12 15:00:52.381196 2018] [perl:debug] [pid 24364] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: processing to sub checkNotifBack
[Mon Feb 12 15:00:52.381208 2018] [perl:debug] [pid 24364] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: processing to sub controlExistingSession
[Mon Feb 12 15:00:52.381251 2018] [perl:debug] [pid 24364] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: processing to sub issuerDBInit
[Mon Feb 12 15:00:52.381269 2018] [perl:debug] [pid 24364] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: processing to sub authInit
[Mon Feb 12 15:00:52.381377 2018] [perl:debug] [pid 24364] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Module Lemonldap::NG::Portal::AuthSAML loaded
[Mon Feb 12 15:00:52.381458 2018] [perl:debug] [pid 24364] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Module Lemonldap::NG::Portal::AuthLDAP loaded
[Mon Feb 12 15:00:52.381567 2018] [perl:debug] [pid 24364] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Module Lemonldap::NG::Portal::UserDBLDAP loaded
```
I notice in the first lines that "AuthDemo" is loaded instead of "AuthMulti".
Do you have any idea what could be the problem? Same action was done other times without any problem. It only happened 2 times but it was very critical as it avoids any new connection.
Do we need to make an Apache restart every time we make that kind of modification?
Thank you
In discussion
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1380
Propose a better look and feel for login form
2019-12-09T10:27:03Z
Clément OUDOT
Propose a better look and feel for login form
I will see if we can have a better login form, without losing all configuration settings for buttons and authentication choices. There are a lot of examples here:
* https://www.webdesignboom.net/2014/html-css-login-form-templates/
* http...
I will see if we can have a better login form, without losing all configuration settings for buttons and authentication choices. There are a lot of examples here:
* https://www.webdesignboom.net/2014/html-css-login-form-templates/
* https://colorlib.com/wp/html5-and-css3-login-forms/
This a low priority but could be really nice for 2.0.
Backlog
Christophe Maudoux
chrmdx@gmail.com
Christophe Maudoux
chrmdx@gmail.com
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1387
Update manager following portal design
2018-03-07T09:48:00Z
Yadd
Update manager following portal design
### Summary
Manager 2.0 is still written with one big object. The goal is to split it like portal: conf, plugins,... separated
### Summary
Manager 2.0 is still written with one big object. The goal is to split it like portal: conf, plugins,... separated
Backlog
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1392
Features, 2F management page for IT Team
2019-11-22T20:53:54Z
Mathieu Lecompte-melançon
Features, 2F management page for IT Team
On enterprise usage, it would be good to let access to the IT team to register/unregister 2f to all user.
And also, maybe an REST api to let<s is done by some automatic script
On enterprise usage, it would be good to let access to the IT team to register/unregister 2f to all user.
And also, maybe an REST api to let<s is done by some automatic script
3.0.0
Christophe Maudoux
chrmdx@gmail.com
Christophe Maudoux
chrmdx@gmail.com
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1393
Trusted Device (Yubikey)
2019-12-13T13:43:17Z
Mathieu Lecompte-melançon
Trusted Device (Yubikey)
### Summary
Use a device like Yubikey or custum certificat to trust a device who try to authenticate.
### Design proposition
The main idea is to told to LLNG a list of device who can acces to some critical website,
It's not like a 2F ...
### Summary
Use a device like Yubikey or custum certificat to trust a device who try to authenticate.
### Design proposition
The main idea is to told to LLNG a list of device who can acces to some critical website,
It's not like a 2F who is linked to a user. It's more like if you want to access to this web site you have to be on a secure computer(device) and you need to authenticate yourself also if the device is authorised to the website...
3.0.0
Christophe Maudoux
chrmdx@gmail.com
Christophe Maudoux
chrmdx@gmail.com
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1410
Possibility to impose/propose a second factor when creating an account
2018-11-28T17:49:54Z
Yadd
Possibility to impose/propose a second factor when creating an account
### Summary
If registration is enabled with 2FA, LLNG could propose or impose a 2F token registration
### Design proposition
* case "propose": when a 2F is available for a new user, at the end of registration, add a link to `/2fregist...
### Summary
If registration is enabled with 2FA, LLNG could propose or impose a 2F token registration
### Design proposition
* case "propose": when a 2F is available for a new user, at the end of registration, add a link to `/2fregisters`
* case "impose": at the end of registration process, don't validate account until a 2F is registered *(session temporarily created and available only for `/2fregisters`)*
3.0.0
Christophe Maudoux
chrmdx@gmail.com
Christophe Maudoux
chrmdx@gmail.com
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1432
Launch a SAML SLO when session is purged
2018-05-26T08:06:12Z
Yadd
Launch a SAML SLO when session is purged
### Summary
When LLNG purges sessions, it doesn't take care of SAML. It could be interesting to propose to propagate session deletion through SAML when SOAP SLO is available
### Design proposition
In purgeCentralSessions script, look ...
### Summary
When LLNG purges sessions, it doesn't take care of SAML. It could be interesting to propose to propagate session deletion through SAML when SOAP SLO is available
### Design proposition
In purgeCentralSessions script, look if a SAML token exists and if SOAP-SLO is available, launch a SLO process.
@clement_oudot: is it possible without link to user's browser?
Backlog
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1434
Validate XML SP metadata
2018-10-08T13:35:52Z
Pascal Pejac
Validate XML SP metadata
### Summary
When you upload or copy metadata for a new SP in SAML section, metada are not validate with XML parser.
if you have a mistake in your XML ( like not encoding special caracter like "&" in URL for example) no error is done in ...
### Summary
When you upload or copy metadata for a new SP in SAML section, metada are not validate with XML parser.
if you have a mistake in your XML ( like not encoding special caracter like "&" in URL for example) no error is done in IHM.
Moreover SAML not working for other SP due to this error.
### Design proposition
When the form is submited, launch an XML parser validation before save metadata anf if an error is occured display an error message
Backlog
Clément OUDOT
Clément OUDOT
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1435
Configuration search engine
2019-11-21T16:21:43Z
Christophe Maudoux
chrmdx@gmail.com
Configuration search engine
### Summary
Append a configuration search engine to look for a pattern (value, macro, attributes, etc...) like lmConfigEditor and '/' command.
### Design proposition
I think it can be done by using the same as diff.html template
### Summary
Append a configuration search engine to look for a pattern (value, macro, attributes, etc...) like lmConfigEditor and '/' command.
### Design proposition
I think it can be done by using the same as diff.html template
3.0.0
Christophe Maudoux
chrmdx@gmail.com
Christophe Maudoux
chrmdx@gmail.com
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1436
Append a sessions search engine
2018-11-28T11:34:38Z
Christophe Maudoux
chrmdx@gmail.com
Append a sessions search engine
### Summary
Append a search engine to look for a specific SSO or persistent session.
Highlight current session type and display active filter
### Design proposition
Like 2ndFA sessions
### Summary
Append a search engine to look for a specific SSO or persistent session.
Highlight current session type and display active filter
### Design proposition
Like 2ndFA sessions
3.0.0
Christophe Maudoux
chrmdx@gmail.com
Christophe Maudoux
chrmdx@gmail.com
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1444
On logout, logout from remote cross domain sites too
2018-06-06T12:52:46Z
Dejan SANADER
On logout, logout from remote cross domain sites too
Logout from the portal clears the session cookie on the main domain (.example.com), but keeps the session cookie untouched on cross domain sites.
On a local handler, this is handled gracefully : access to a cross domain site with a dele...
Logout from the portal clears the session cookie on the main domain (.example.com), but keeps the session cookie untouched on cross domain sites.
On a local handler, this is handled gracefully : access to a cross domain site with a deleted session triggers a redirect to the portal.
On a remote handler, the session is cached, and access is still possible after logout. This is true for the SOAP/REST session backend. I guess database backends like Redis or Mongo don't suffer from this.
Backlog
Yadd
Yadd
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1447
JSON encoding issue
2019-09-12T09:34:24Z
Andres Merila
JSON encoding issue
### Concerned version
Version: 1.9.16
Platform:
```
Debian Stretch: Linux version 4.9.0-6-amd64 (debian-kernel@lists.debian.org) (gcc version 6.3.0 20170516 (Debian 6.3.0-18+deb9u1) ) #1 SMP Debian 4.9.88-1+deb9u1 (2018-05-07)
apach...
### Concerned version
Version: 1.9.16
Platform:
```
Debian Stretch: Linux version 4.9.0-6-amd64 (debian-kernel@lists.debian.org) (gcc version 6.3.0 20170516 (Debian 6.3.0-18+deb9u1) ) #1 SMP Debian 4.9.88-1+deb9u1 (2018-05-07)
apache2 2.4.25-3+deb9u4
libjson-maybexs-perl 1.003008-1
libjson-perl 2.90-1
libjson-xs-perl 3.030-1
```
### Summary
Happened when trying to get OpenID Connect Service to work. I got "Error occurs on the server" message when I tried to load http://auth.example.com/.well-known/openid-configuration in a browser. Same error happened when I tried OpenID Connect implicit flow with response types ["id_token", "token"] or ["id_token"].
It looks like a similar issue was fixed in the past #1294
As a person with no knowledge about perl I'd say that parameter ``{ allow_nonref => 1 }`` must be added to to_json() calls most likely.
### Logs
Error line is here. More in an attachment: [lemonldap.log](/uploads/e9fd2f34761f034e10a92978a3c718fe/lemonldap.log)
```
[Mon Jun 11 11:06:50.779805 2018] [:error] [pid 11820:tid 140419451623168] hash- or arrayref expected (not a simple scalar, use allow_nonref to allow this) at /usr/share/perl5/JSON.pm line 154, <DATA> line 755.\n
```
In discussion
Clément OUDOT
Clément OUDOT
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1456
Create account and reset paswword with SQL/DBI module
2018-06-18T12:55:03Z
acool acool
Create account and reset paswword with SQL/DBI module
### Summary
Hello,
I allow myself to post a message for you because I use Lemonldap-ng, everything works perfectly except to create an account and reset the password
For the creation it takes a smtp server but i receive a bad token be...
### Summary
Hello,
I allow myself to post a message for you because I use Lemonldap-ng, everything works perfectly except to create an account and reset the password
For the creation it takes a smtp server but i receive a bad token because the DBI module is not here, there is only the demo module, ldap and active directory and not the DBI module..
For reinitialization I use the DBI module to store my accounts in my database to.
Regards,
Backlog
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1459
llng-fastcgi.sock failed
2018-09-13T05:08:04Z
SORE Abdoulaye
llng-fastcgi.sock failed
### Concerned version
Version: %"2.0.0"
Platform: Nginx
### Summary
Hello,
After installing LemonLDAP::NG2.0 on centos7 from the tarball, I got "502 bad gateway" or "server internal error" when trying to access to manager, portal ...
### Concerned version
Version: %"2.0.0"
Platform: Nginx
### Summary
Hello,
After installing LemonLDAP::NG2.0 on centos7 from the tarball, I got "502 bad gateway" or "server internal error" when trying to access to manager, portal or test1 and test2.
### Logs
Nginx error_log
```
2018/06/21 10:03:43 [crit] 3428#0: *4 connect() to unix:/usr/local/run/llng-fastcgi.sock failed (2: No such file or directory) while connecting to upstream, client: 127.0.0.1, server: auth.example.com, request: "GET / HTTP/1.1", upstream: "fastcgi://unix:/usr/local/run/llng-fastcgi.sock:", host: "auth.example.com"
```
### Backends used
left by default.
### Possible fixes
It's because the **fastcgi_pass** of portal and manager is different from the llng-fastcgi-server's **$socket** variable. In fact,
in portal for example :
vi /usr/local/lemonldap-ng/etc/portal-nginx.conf
```
[...]
fastcgi_pass unix:/usr/local/run/llng-fastcgi.sock;
[...]
```
and in llng-fastcgi-server:
vi /usr/share/lemonldap-ng/sbin/llng-fastcgi-server
```
[...]
$socket ||= $ENV{SOCKET} || '/var/run/llng-fastcgi-server/llng-fastcgi.sock';
[...]
```
So portal is looking for `llng-fastcgi.sock` in `/usr/local/run/` while it's created in `/var/run/llng-fastcgi-server/`
By replacing `/usr/local/run/llng-fastcgi.sock` by `/var/run/llng-fastcgi-server/llng-fastcgi.sock` in nginx virtual hosts(portal, manager,test) it works fine.
In discussion
Clément OUDOT
Clément OUDOT
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1471
Plugin system for portal menu
2019-11-21T16:20:40Z
Clément OUDOT
Plugin system for portal menu
The goal is to be able to write a Perl plugin that would add a tab in portal menu.
Like auth plugin, it could inject a specific HTML template and have its own configuration settings.
See also #1652
The goal is to be able to write a Perl plugin that would add a tab in portal menu.
Like auth plugin, it could inject a specific HTML template and have its own configuration settings.
See also #1652
3.0.0
Yadd
Yadd
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1475
Update conf in all threads simultaneously
2018-07-12T17:51:36Z
Yadd
Update conf in all threads simultaneously
### Summary
Today, when conf is updated in local cache, each thread reads it between 0 to 10 minutes, so in the same server, during 10 minutes, configuration isn't consistent.
### Design proposition
We could add a communication channe...
### Summary
Today, when conf is updated in local cache, each thread reads it between 0 to 10 minutes, so in the same server, during 10 minutes, configuration isn't consistent.
### Design proposition
We could add a communication channel between all threads (like "status"). If one thread discover a new conf, it will indicates to every others that they should reload it.
Backlog
Yadd
Yadd
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1495
Verify if bootstrap vulnerability can be exploited in LLNG
2019-01-04T14:58:48Z
Yadd
Verify if bootstrap vulnerability can be exploited in LLNG
### Concerned version
Version: %"1.9.18", %"2.0.0"
### Summary
The following vulnerabilities were published for twitter-bootstrap3. If LLNG is vulnerable, update bootstrap at least to 4.1.2
[CVE-2018-14040](https://cve.mitre.org/cgi...
### Concerned version
Version: %"1.9.18", %"2.0.0"
### Summary
The following vulnerabilities were published for twitter-bootstrap3. If LLNG is vulnerable, update bootstrap at least to 4.1.2
[CVE-2018-14040](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14040): In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.
[CVE-2018-14041](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14041): In Bootstrap before 4.1.2, XSS is possible in the data-target property of scrollspy.
[CVE-2018-14042](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14042): In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.
FAQ
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1511
Modify Portal::Main::Display.pm module structure
2022-12-12T13:53:45Z
Christophe Maudoux
chrmdx@gmail.com
Modify Portal::Main::Display.pm module structure
### Summary
Display.pm is built with many 'if then elsif' control structures
### Design proposition
Use entry points to select forms ?
### Summary
Display.pm is built with many 'if then elsif' control structures
### Design proposition
Use entry points to select forms ?
Backlog
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1537
add notifications for auto-enrollment
2019-11-21T16:19:42Z
dcoutadeur dcoutadeur
add notifications for auto-enrollment
### Summary
It could be nice to have notifications displayed when user is auto-enrolling on LemonLDAP::NG
### Design proposition
- user click the auto-enrollment button
- it enters his mail
- mail is sent with a link
- user clicks the...
### Summary
It could be nice to have notifications displayed when user is auto-enrolling on LemonLDAP::NG
### Design proposition
- user click the auto-enrollment button
- it enters his mail
- mail is sent with a link
- user clicks the link and comes back to the portal
- the notification appears : user has to validate all checkbox to continue
- account is created
It could be great to have a pattern to apply the notification only for specific users.
3.0.0
Yadd
Yadd
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1538
make a REST API for auto-enrollment
2019-11-21T16:12:14Z
dcoutadeur dcoutadeur
make a REST API for auto-enrollment
### Summary
make a REST API for auto-enrollment
### Design proposition
- a websso administrator generates a token for the application in the manager. Then he sends the token to the application by any secure mean.
- the application pr...
### Summary
make a REST API for auto-enrollment
### Design proposition
- a websso administrator generates a token for the application in the manager. Then he sends the token to the application by any secure mean.
- the application provides the token and the user mail (GET or POST ?) on a REST URL
- SSO sends back the list of mandatory and optional attributes the application can write
- the application provides the attribute values
- SSO writes the user in the database
Note: maybe the SCIM protocol can be useful here...
In discussion
Yadd
Yadd
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1541
Issue with multiple module
2018-11-17T16:48:21Z
Thomas Prost
Issue with multiple module
Hello,
I have some issues using the multiple module of LemonLDAP (I'm using 1.9.17).
I'm trying to configure an access with a LDAP and an Active Directory (so, the same module).
I followed the steps found in the documentation, but ca...
Hello,
I have some issues using the multiple module of LemonLDAP (I'm using 1.9.17).
I'm trying to configure an access with a LDAP and an Active Directory (so, the same module).
I followed the steps found in the documentation, but can't make it work since I have a single LDAP tab to configure. It also seems like the #name I configured in lemonldap-ng.ini aren't recognized, in my case, I use **LDAP#ldap;LDAP#ad** in the multiple module.
Is there anything I'm doing wrong ?
Thanks a lot and have a nice day.
FAQ
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1551
Segmentation fault sur lng et apache 2.4
2018-11-22T19:08:26Z
Stéphane Liabat
Segmentation fault sur lng et apache 2.4
### Concerned version
Version: %"1.9.19"
Platform:
- CentOS Linux release 7.4.1708 (Core)
- apache
- Server Version: Apache/2.4.35 (IUS) Lemonldap::NG/1.9.18 OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 mod_jk/1.2.42 mod_perl/2.0.10 Perl/...
### Concerned version
Version: %"1.9.19"
Platform:
- CentOS Linux release 7.4.1708 (Core)
- apache
- Server Version: Apache/2.4.35 (IUS) Lemonldap::NG/1.9.18 OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 mod_jk/1.2.42 mod_perl/2.0.10 Perl/v5.16.3
- Server MPM: event
- Server Built: Oct 16 2018 16:35:27
- This is perl 5, version 16, subversion 3 (v5.16.3) built for x86_64-linux-thread-multi
### Summary
Bonjour,
Historiqueemnt, nous avions un lng 1.9 et un apache 2 sur du rhel.
Depuis que nous sommes passés sur lng 1.9 et apache 2.4 centos, nous rencontrons un gros problème de disponibilité. En effet le service n'est pas rendu car nous avons des requêtes qui n'aboutissent pas. Après un certain temps d'investigations, nous avons trouvé l'erreur, en isolant beaucoup de nos pans d'infrastructure.
Habituellement en load balancer IP, puis derrière en load balancer Ajp, avec deux Reverse Proxy qui utilisent une base de données communes mysql, nous avons tout isolé avec un seul RP. Nous écartons donc la complexité de notre infra.
De plus, avec notre ancien apache 2, nous n'avions pas cette erreur.
Sur apache 2.4, nous somme passés par trois stades :
- stade 1 : mode prefork par defaut d'apache.
- une catastrophe. Au bout de quelques heures, apache avaient des centaines de threads non terminés, et se mettait à ne plus répondre, en passant d'abord par une phase d'extrème lenteur.
- stade 2 : mode worker
- Plus de problèmes de thread orphelins ni de lenteur, mais beaucoup de pb de segmentation fault
- stade 3 : mode events
- Beaucoup moins de pb de segmentation fault, mais qui reste fréquent et génants.
Cette erreur se concrétise par la ligne suivante dans le log apache :
```[pid 1577:tid 140381358463168] AH00052: child pid 17763 exit signal Segmentation fault (11)```
Merci à vous pour votre aide.
### Logs
```
Wed Nov 21 00:32:09.047765 2018] [perl:debug] [pid 20144:tid 140380402022144] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: processing to sub controlUrlOrigin
[Wed Nov 21 00:32:09.047966 2018] [perl:debug] [pid 20144:tid 140380402022144] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: processing to sub checkNotifBack
[Wed Nov 21 00:32:09.048033 2018] [perl:debug] [pid 20144:tid 140380402022144] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: processing to sub controlExistingSession
[Wed Nov 21 00:32:09.048665 2018] [perl:debug] [pid 20144:tid 140380402022144] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Set custom template parameter ucanss_portal with http://dextranet.ucanss.fr/portail/auth/portal/default/PPerso
[Wed Nov 21 00:32:09.597609 2018] [core:notice] [pid 1577:tid 140381358463168] AH00052: child pid 17763 exit signal Segmentation fault (11)
[Wed Nov 21 00:33:07.781777 2018] [proxy:debug] [pid 20620:tid 140381358463168] proxy_util.c(1923): AH00925: initializing worker http://dnas01.ucanss.fr/ressources shared
[Wed Nov 21 00:33:07.781800 2018] [proxy:debug] [pid 20620:tid 140381358463168] proxy_util.c(1980): AH00927: initializing worker http://dnas01.ucanss.fr/ressources local
[Wed Nov 21 00:33:07.781820 2018] [proxy:debug] [pid 20620:tid 140381358463168] proxy_util.c(2015): AH00930: initialized pool in child 20620 for (
```
### Backends used
For any bug on configuration/sessions storage, give us details on backends
### Possible fixes
FAQ
Clément OUDOT
Clément OUDOT
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1552
redirection from application with a sharp (#) does not work with Apache MP2
2018-11-22T16:24:02Z
dcoutadeur dcoutadeur
redirection from application with a sharp (#) does not work with Apache MP2
### Concerned version
Version: 1.9.17
Platform: Apache2
### Summary
When accessing an application containing a sharp (#), for example:
`http://test1.example.com/#/test`
everything after the # is dropped when redirecting to portal:
...
### Concerned version
Version: 1.9.17
Platform: Apache2
### Summary
When accessing an application containing a sharp (#), for example:
`http://test1.example.com/#/test`
everything after the # is dropped when redirecting to portal:
`http://auth.example.com/?url=encode_base64(http://test1.example.com/)`
This bug seems due to Apache2 RequestRec module in function unparsed_uri
In Handler/Main.pm, in function run():
`return $class->goToPortal( Lemonldap::NG::Handler::API->unparsed_uri );`
In discussion
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1556
SSOaaS: add developer token service to allow SSOaaS usage
2020-02-21T12:54:33Z
Yadd
SSOaaS: add developer token service to allow SSOaaS usage
### Summary
Today, every container/VM that can touch SSOaaS service can use it and add its rules. The idea of this issue is to add a filter that verify developer token before accepting queries to allow opening this service outside a pri...
### Summary
Today, every container/VM that can touch SSOaaS service can use it and add its rules. The idea of this issue is to add a filter that verify developer token before accepting queries to allow opening this service outside a private network.
HTTP transport may be studied here too *(instead of FCGI)*.
3.0.0
Yadd
Yadd
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1568
Migrate Manager from Bootstrap 3 to Bootstrap 4
2019-11-21T15:57:31Z
Clément OUDOT
Migrate Manager from Bootstrap 3 to Bootstrap 4
Like we have done for Portal.
Like we have done for Portal.
3.0.0
Clément OUDOT
Clément OUDOT
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1570
Manager : replace Angular-1* by React/Redux
2021-05-16T14:57:31Z
Yadd
Manager : replace Angular-1* by React/Redux
### Summary
Angular-1.8* is the last version and LTS until ~2022. Since we maintain at least 2 versions, we might replace it before 2020 to be sure to have a well maintained JS framework.
React used with Redux sounds good to replace An...
### Summary
Angular-1.8* is the last version and LTS until ~2022. Since we maintain at least 2 versions, we might replace it before 2020 to be sure to have a well maintained JS framework.
React used with Redux sounds good to replace Angular-1.
3.0.0
Yadd
Yadd
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1581
Documentation related to Proxy
2018-12-21T05:34:02Z
Mathieu Lecompte-melançon
Documentation related to Proxy
Hi the documentation related to Proxy seem incomplet:
https://lemonldap-ng.org/documentation/2.0/authproxy
First, in the manager Proxy is not appear as a choice for auth and user as described in docs.
And maybe more usable to provide...
Hi the documentation related to Proxy seem incomplet:
https://lemonldap-ng.org/documentation/2.0/authproxy
First, in the manager Proxy is not appear as a choice for auth and user as described in docs.
And maybe more usable to provide a sample of overloading in .ini with the right parameters name
In 1.9 I have set for soap:
```
authentication = Proxy
userDB = Proxy
soapAuthService = https://auth.interne.urgences-sante.qc.ca/
```
FAQ
Clément OUDOT
Clément OUDOT
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1597
Move project name into LLNG
2018-12-18T23:29:08Z
Yadd
Move project name into LLNG
LemonLDAP::NG has no no real link to LDAP and this name is confusing for new users. I think we should now move to LLNG: smooth transition
LemonLDAP::NG has no no real link to LDAP and this name is confusing for new users. I think we should now move to LLNG: smooth transition
Backlog
Clément OUDOT
Clément OUDOT
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1615
Handler 2FA
2020-03-26T10:47:34Z
Clément OUDOT
Handler 2FA
Hi,
since 2.0 we added the possibility to upgrade a session if the authentication level is not enough when accessing to an application.
Now I would like to require a 2FA when accessing an application. We can't really use authentication...
Hi,
since 2.0 we added the possibility to upgrade a session if the authentication level is not enough when accessing to an application.
Now I would like to require a 2FA when accessing an application. We can't really use authentication level here as I need to require the 2FA for several applications, even if we already used the 2FA on a first one.
I was thinking of creating a new Handler type "2FA" that will require the 2FA. We need these configuration settings:
* 2FA type (TOTP, U2F, REST...)
* Skip if OTP received within X minutes
* Condition to bypass MFA or to Require MFA
The question is how to play the MFA? The best would be to redirect user on portal, but on a different process than the authentication process, it is just a MFA request.
Backlog
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1620
Account register approval workflow
2022-05-12T16:19:33Z
Clément OUDOT
Account register approval workflow
Hello,
here is a new idea to improve our register feature. I am creating this issue so we can discuss if this is a good idea to implement it in LL::NG.
The need is to add an approval step when a user creates an account. This could be d...
Hello,
here is a new idea to improve our register feature. I am creating this issue so we can discuss if this is a good idea to implement it in LL::NG.
The need is to add an approval step when a user creates an account. This could be done with a new menu in Manager to view register requests and approve them, and also send a mail to administrators when a user register himself.
3.0.0
Maxime Besson
Maxime Besson
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1621
REST backend - Prompt user to change password before expiration
2023-06-30T13:36:05Z
Mathieu Lecompte-melançon
REST backend - Prompt user to change password before expiration
### Summary
Add similar feature then LDAP/AD to prompt user X day before expiration to change password
### Design proposition
1) Create a new API CALL to return TRUE/FALSE to told LLNG if user should change is password
An empty valu...
### Summary
Add similar feature then LDAP/AD to prompt user X day before expiration to change password
### Design proposition
1) Create a new API CALL to return TRUE/FALSE to told LLNG if user should change is password
An empty value in option suggest this feature his disabled.
I think the logic of EXPERIATION could be easy handled by the REST BACK END
3.0.0
Maxime Besson
Maxime Besson
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1641
Floating Menu breaks accents
2020-02-05T13:08:22Z
Paul Curie
Floating Menu breaks accents
### Concerned version
Version: 2.0.1
Platform: CentOS 7.6 / Apache 2.4.6
### Summary
When activating floating menu on a php app (Self Service Password), accents breaks, removing the floating menu resolve this issue.
### Logs
```
Ap...
### Concerned version
Version: 2.0.1
Platform: CentOS 7.6 / Apache 2.4.6
### Summary
When activating floating menu on a php app (Self Service Password), accents breaks, removing the floating menu resolve this issue.
### Logs
```
Apache2::Filter::print: (32) Broken pipe at /usr/share/perl5/vendor_perl/Lemonldap/NG/Handler/ApacheMP2/Menu.pm line 72, referer: https://sspad.acme.fr/
```
I'm not sure if this error message is related but there is nothing else.
### Backends used
LDAP backend for config/sessions
### Possible fixes
3.0.0
Maxime Besson
Maxime Besson
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1652
Modularize Display.pm
2019-05-17T08:32:47Z
Yadd
Modularize Display.pm
### Summary
When someone writes an authentication plugin, if login template isn't available, he has to modify [Display.pm](lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Display.pm) and [login.tpl](lemonldap-ng-portal/site/templates/b...
### Summary
When someone writes an authentication plugin, if login template isn't available, he has to modify [Display.pm](lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Display.pm) and [login.tpl](lemonldap-ng-portal/site/templates/bootstrap/login.tpl). This is due to monolithic template generation.
### Design proposition
Template generation will be done in 2 steps:
* HTML::Template loads [login.tpl](lemonldap-ng-portal/site/templates/bootstrap/login.tpl) which contains a `<!-- LEMON -->` tag
* [Display.pm](lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Display.pm) calls `auth->template`. If result is:
* **a string** _(template name)_, it replaces `<!-- LEMON -->` tag by the result of `HTML::Template->new('tpl_name.tpl')` and prints the result
* **a sub**, it replaces `<!-- LEMON -->` tag by the result of this sub _(to be used by [Auth::Choice](lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/Choice.pm))_
This design can be used also in #1471.
3.0.0
Yadd
Yadd
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1665
Bad configuration encoding with LDAP backend
2022-05-02T15:10:45Z
Clément OUDOT
Bad configuration encoding with LDAP backend
When storing the configuration in LDAP, the encoding is wrong.
Setting "é" from Manager inside the LDAP backend results in this value:
```
"description":"A simple application displaying authenticated user é"
```
When storing the configuration in LDAP, the encoding is wrong.
Setting "é" from Manager inside the LDAP backend results in this value:
```
"description":"A simple application displaying authenticated user é"
```
3.0.0
Maxime Besson
Maxime Besson
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1677
Manager progressive webapp
2019-03-25T21:38:03Z
Yadd
Manager progressive webapp
### Summary
Manager may provide a webapp
### Summary
Manager may provide a webapp
3.0.0
Yadd
Yadd