lemonldap-ng issues
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues
2024-03-27T10:54:34Z
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3109
Conf test: should warn when auth is Choice and userDB isn't set to Choice or ...
2024-03-27T10:54:34Z
Yadd
Conf test: should warn when auth is Choice and userDB isn't set to Choice or Same
Not an error but often a mistake
Not an error but often a mistake
2.19.0
Yadd
Yadd
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3026
Auth::OIDC : add option to get keys using jwks
2024-03-27T10:40:24Z
Yadd
Auth::OIDC : add option to get keys using jwks
For now, we fix JWKS document in configuration. We should be able to consult OIDC server dynamically (with cache of course).
### Design proposition:
If oidcOPMetaDataJWKS is empty, use jwks endpoint
For now, we fix JWKS document in configuration. We should be able to consult OIDC server dynamically (with cache of course).
### Design proposition:
If oidcOPMetaDataJWKS is empty, use jwks endpoint
2.19.0
Yadd
Yadd
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2610
TOTP management screens flows
2024-03-27T10:11:19Z
Clément OUDOT
TOTP management screens flows
Some feedbacks on our currents 2FA/TOTP management flows:
* [x] After registering a TOTP, we stay on the configuration screen, with a success message. It would be better to go back to 2FA manager screen
* [ ] On 2FA manager screen, when ...
Some feedbacks on our currents 2FA/TOTP management flows:
* [x] After registering a TOTP, we stay on the configuration screen, with a success message. It would be better to go back to 2FA manager screen
* [ ] On 2FA manager screen, when we already have registered a TOTP we see the new TOTP menu. When clicking on it we have an error. Maybe we should directly add the button from the main 2FA manager screen
Maxime Besson
Maxime Besson
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3115
Date in login history is based on session _utime, not the very same time as t...
2024-03-27T09:53:05Z
philippe lhardy
philha@worteks.com
Date in login history is based on session _utime, not the very same time as the login triggering action
### Affected version
All versions up to 2.18 and including current dev.
### Summary
Success or Failure records for login history use _utime and not actual time of action.
This is enlighted when using 2FA.
When tentatively implementi...
### Affected version
All versions up to 2.18 and including current dev.
### Summary
Success or Failure records for login history use _utime and not actual time of action.
This is enlighted when using 2FA.
When tentatively implementing #3106 ordering of login failure of multiple successive 2FA failure couldn't be based on time since all entries had the very same one.
### Possible fixes
Use current time within loging history.
2.19.0
philippe lhardy
philha@worteks.com
philippe lhardy
philha@worteks.com
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3107
Manager diff viewer doesn't work when adding new macro named "groups"
2024-03-27T09:44:46Z
Maxime Besson
Manager diff viewer doesn't work when adding new macro named "groups"
### Affected version
Version: 2.18.2
### Summary
* Edit configuration to add a new macro named "groups", any value
* Try to view configuration diff with previous version
* "Error: undefined"
It also happens on any configuration scree...
### Affected version
Version: 2.18.2
### Summary
* Edit configuration to add a new macro named "groups", any value
* Try to view configuration diff with previous version
* "Error: undefined"
It also happens on any configuration screen that lets you enter key/value maps (exported variables, etc)
It also happens if you use "macros" as the key, and possibly other keys that match top-level configuration keys
### Logs
```
FastCGI sent in stderr: "Can't use string (""somevalue"") as a HASH ref while "strict refs" in use at /usr/share/perl5/Lemonldap/NG/Manager/Conf/Diff.pm line 93
```
2.19.0
Maxime Besson
Maxime Besson
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3112
Configuration override from lemonldap-ng.ini can be lost due to cache issues
2024-03-27T09:41:40Z
Maxime Besson
Configuration override from lemonldap-ng.ini can be lost due to cache issues
### Affected version
Version: 2.18.2
### Summary
This bug is easier to reproduce with a separate handler and portal, but happens with all configurations
* Configure a remote handler with globalStorage=REST
* Access the handler a few ...
### Affected version
Version: 2.18.2
### Summary
This bug is easier to reproduce with a separate handler and portal, but happens with all configurations
* Configure a remote handler with globalStorage=REST
* Access the handler a few times => overrides are applied
* Save a new configuration on the portal, without triggering a configuration reload (reloadUrls) on the remote handler
* On the remote handler, wait for configuration cache to expire
* On the remote handler, run purgeCentralCache/purgeLocalCache (! AS WWW-DATA/APACHE! )
* Access the remote handler again => globalStorage is lost
### Logs
Before cache expiration:
```
[debug] Check configuration for Lemonldap::NG::Handler::Server::Main
[debug] Get configuration from cache without verification.
```
cache content:
```
globalStorage='Lemonldap::NG::Common::Apache::Session::REST'
```
Cache contains conf from DB + INI overrides
Publish a new version, wait for cache to expire, run purgeCentralCache (as www-data)
cache content:
```
globalStorage='Apache::Session::File'
```
Cache contains conf from DB without overrides
Try to access the handler
```
[debug] Check configuration for Lemonldap::NG::Handler::Server::Main
[debug] Get configuration from cache without verification.
[debug] Get configuration 448 aged 1709392350
[info] Loading configuration 448 for process 77060
```
Configuration is loaded from (incorrect) cache, new version is found, and Handler is reloaded from this new version that doesn't have INI overrides
Later:
```
[info] Session cannot be tied: unexistant session xxx at /usr/share/perl5/Apache/Session/Store/File.pm
```
### Possible fixes
This is a subtle bug but I have hit many different versions of it over the years:
* checkTime being reset from 1 to default of 600
* globalStorage being randomly lost on remote handler
* etc
This bug comes from the fact that Common::Conf stores INI overrides in the config cache. IMO this is a bad idea. The cache, which is shared by *all* LLNG processes on the machine, should only contain DB conf, and overrides should be applied on top of it.
This behavior also means that it's also impossible to have a config override be different for two components, such as:
```
[portal]
globalStorage=Apache::Session::File
[handler]
globalStorage=Lemonldap::NG::Common::Apache::Session::REST
```
2.19.0
Maxime Besson
Maxime Besson
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3054
Cannot get the full otpauth URL when registering a new TOTP
2024-03-27T09:19:28Z
Soisik Froger
Cannot get the full otpauth URL when registering a new TOTP
As a user, I'd like to copy the content of the QR code when enrolling a new TOTP. This URL is useful if you use any device/software that do no rely on scanning a image.
Right now, the URL as to be built from scratch from the displayed s...
As a user, I'd like to copy the content of the QR code when enrolling a new TOTP. This URL is useful if you use any device/software that do no rely on scanning a image.
Right now, the URL as to be built from scratch from the displayed secret (if put in lowercase and without space).
Some kind of way to retrieve this URL (in the HREF attribute of the image ?) would make it easier to register TOTP without scans.
2.19.0
Maxime Besson
Maxime Besson
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3095
Add llngUserAttributes tools
2024-03-27T09:16:32Z
Yadd
Add llngUserAttributes tools
The idea is to have a sort of `ldapsearch` but based on portal "getUser+macros+groups". Maybe something like:
```perl
#!/usr/bin/perl
use strict;
use JSON;
use Lemonldap::NG::Portal;
my $p = Lemonldap::NG::Portal->new;
$p->init({logLev...
The idea is to have a sort of `ldapsearch` but based on portal "getUser+macros+groups". Maybe something like:
```perl
#!/usr/bin/perl
use strict;
use JSON;
use Lemonldap::NG::Portal;
my $p = Lemonldap::NG::Portal->new;
$p->init({logLevel => 'warn'});
my $uid = $ARGV[0] or die 'Missing uid';
my $req = Lemonldap::NG::Portal::Main::Request->new( {
REQUEST_URI => '/',
REMOTE_ADDR => '127.0.0.1',
PATH_INFO => '/',
}
);
$req->user($uid);
$req->steps( [
'getUser', @{ $p->betweenAuthAndData },
'setSessionInfo', $p->groupsAndMacros,
'setLocalGroups',
]
);
$p->process($req);
print JSON->new->canonical->pretty->encode($req->sessionInfo);
```
What do you think ?
2.19.0
Yadd
Yadd
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3077
Handling of groups from an OIDC provider
2024-03-27T09:14:16Z
Daniel Berteaud
Handling of groups from an OIDC provider
### Affected version
Version: 2.18.1
Platform: nginx+uwsgi
### Summary
When using an OIDC provider as Auth + UserDB, I couldn't get groups to work. In my case, the OIDC provider is also a Lemonldap::NG instance. I've configured a "gr...
### Affected version
Version: 2.18.1
Platform: nginx+uwsgi
### Summary
When using an OIDC provider as Auth + UserDB, I couldn't get groups to work. In my case, the OIDC provider is also a Lemonldap::NG instance. I've configured a "groups" claim containing a list of groups on the provider. This claim is correctly sent in the UserInfo endpoint. The "salve" Lemonldap::NG instance sees it, but just set the groups session keys as a stringified version of the array of groups. $hGroups remains empty, and groups are not usable.
### Logs
```
2024-01-05 10:51:27 [ERROR] [lemonldap] [Fri Jan 5 10:51:27 2024] [LLNG:40] [debug] Request User Info on https://primary.local/oauth2/userinfo with access token XXXXXXX
2024-01-05 10:51:27 [ERROR] [lemonldap] [Fri Jan 5 10:51:27 2024] [LLNG:40] [debug] UserInfo received: {"mail":"dani@local","cn":"Daniel Berteaud","groups":["Role_Unix","Role_Dev","Role_DB_Viewer","Administrators","Role_DB_Admin","Role_GED","Role_Mail","Role_Support_Admin","Role_PKI_User","Role_Infra_Admin","Denied RODC Password Replication Group","Domain Admins","Role_Vault","Role_Visio","Role_VPN","Role_FW_Admin","Role_Audit","Equipe","Role_Seafile","Role_PKI_Admin","Role_Monitoring","IT","Role_Support_User","Role_Virt","Role_CT_Admin","Role_Matrix"],"principal":"dani@local","uid":"dani","sub":"dani"}
[...]
2024-01-05 10:51:27 [ERROR] [lemonldap] [Fri Jan 5 10:51:27 2024] [LLNG:40] [debug] Store 1704448287 in session key _lastAuthnUTime
2024-01-05 10:51:27 [ERROR] [lemonldap] [Fri Jan 5 10:51:27 2024] [LLNG:40] [debug] Store HASH(0x65f8a60) in session key _loginHistory
2024-01-05 10:51:27 [ERROR] [lemonldap] [Fri Jan 5 10:51:27 2024] [LLNG:40] [debug] Dump: $VAR1 = {'successLogin' => [{'ipAddr' => '10.99.20.2','_utime' => '1704448211'},{'ipAddr' => '10.99.20.2','_utime' => '1704448149'},{'ipAddr' => '10.99.20.2','error' => -4,'_utime' => '1704443859'},{'ipAddr' => '10.99.20.2','_utime' => '1704443859'},{'_utime' => '1704443073','error' => -4,'ipAddr' => '10.99.20.2'},{'ipAddr' => '10.99.20.2','_utime' => '1704443073'},{'_utime' => '1704442587','ipAddr' => '10.99.20.2','error' => -4},{'ipAddr' => '10.99.20.2','_utime' => '1704442587'},{'ipAddr' => '10.99.20.2','_utime' => '1704378084'},{'ipAddr' => '10.99.20.2','_utime' => '1704377346'}],'failedLogin' => []};
2024-01-05 10:51:27 [ERROR] [lemonldap] [Fri Jan 5 10:51:27 2024] [LLNG:40] [debug] Store ARRAY(0x6390dd0) in session key groups
2024-01-05 10:51:27 [ERROR] [lemonldap] [Fri Jan 5 10:51:27 2024] [LLNG:40] [debug] Dump: $VAR1 = ['Role_Unix','Role_Dev','Role_DB_Viewer','Administrators','Role_DB_Admin','Role_GED','Role_Mail','Role_Support_Admin','Role_PKI_User','Role_Infra_Admin','Denied RODC Password Replication Group','Domain Admins','Role_Vault','Role_Visio','Role_VPN','Role_FW_Admin','Role_Audit','Equipe','Role_Seafile','Role_PKI_Admin','Role_Monitoring','IT','Role_Support_User','Role_Virt','Role_CT_Admin','Role_Matrix'];
2024-01-05 10:51:27 [ERROR] [lemonldap] [Fri Jan 5 10:51:27 2024] [LLNG:40] [debug] Store 20240105105011 in session key _updateTime
2024-01-05 10:51:27 [ERROR] [lemonldap] [Fri Jan 5 10:51:27 2024] [LLNG:40] [debug] Store dani in session key _user
```
Screenshot of the resulting session on the slave Lemonldap::NG
![image](/uploads/fc6bddce1c364b8c0ab943920f603df4/image.png)
### Backends used
Primary (OIDC RP) Lemonldap::NG is running
- On almalinux 8
- With nginx (OpenResty) + llng-fastcgi-server
- Using AD (samba4) as AuthDB and UserDB
- Using MariaDB as configuration and session store
Slave Lemonldap::NG is running
- On almalinux 9 (Docker based on almalinux9)
- With nginx + uwsgi
- Using OIDC as AuthDB and Same as UserDB
- An OIDC provider has been configured pointing at the primary LL::NG portal
2.19.0
Maxime Besson
Maxime Besson
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3113
Add possibility to store conf secrets in separated files
2024-03-27T09:09:10Z
Yadd
Add possibility to store conf secrets in separated files
When I'm using Lemonldap with static configuration (deployed using help chart), the key rotation maybe lost when restarting containers.
## Design proposition
`lemonldap-ng.ini` contains a new key `secretsPath`. Then when [Common::Conf]...
When I'm using Lemonldap with static configuration (deployed using help chart), the key rotation maybe lost when restarting containers.
## Design proposition
`lemonldap-ng.ini` contains a new key `secretsPath`. Then when [Common::Conf](lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf.pm) see that:
- when "load": read the list of secret and launches them from this directory (keyName == fileName)
- when "store": ignore this changes ?
@clement_oudot, @maxbes, @xavierb : any idea/advice ?
2.19.0
Yadd
Yadd
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3121
LLNG should not fail when local cache is broken
2024-03-27T09:08:38Z
Yadd
LLNG should not fail when local cache is broken
2.19.0
Yadd
Yadd
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3104
Incorrect initialization of SAML IDP causes IDP to fallback to default settings
2024-03-27T08:25:53Z
Maxime Besson
Incorrect initialization of SAML IDP causes IDP to fallback to default settings
When initializing a SAML IDP in Auth::SAML, if some step goes wrong (impossible to set signature policy, or bad rule), the IDP is still useable but no defaults are set
We need to make sure the IDP is correctly loaded before enabling it,...
When initializing a SAML IDP in Auth::SAML, if some step goes wrong (impossible to set signature policy, or bad rule), the IDP is still useable but no defaults are set
We need to make sure the IDP is correctly loaded before enabling it, and report an error if it isn't the case
2.19.0
Maxime Besson
Maxime Besson
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3101
OIDC offline session refresh has no access to previous session info
2024-03-26T13:21:23Z
Maxime Besson
OIDC offline session refresh has no access to previous session info
For a custom plugin, I need to access the _samlToken stored at login time in getUser.
Currently, the offline refresh code does not allow it:
```
$req->user( $refreshSession->data->{_session_uid} );
$req->data->{$_} = $r...
For a custom plugin, I need to access the _samlToken stored at login time in getUser.
Currently, the offline refresh code does not allow it:
```
$req->user( $refreshSession->data->{_session_uid} );
$req->data->{$_} = $refreshSession->data->{$_} foreach (qw(_choice));
$req->steps( [
'getUser', @{ $self->p->betweenAuthAndData },
'setSessionInfo', $self->p->groupsAndMacros,
'setLocalGroups',
]
);
```
Only _choice is kept, and the _samlToken cannot be exposed to getUser
In order to fix this, a possible solution would be to run the same process we do in the "Refresh my rights" feature:
keep existing session keys, refresh, and update the session with the new keys. This will remove some code duplication between OIDC and Main
2.19.0
Maxime Besson
Maxime Besson
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3099
second factor type is not stored in history in case of a 2FA failure
2024-03-26T12:32:06Z
Maxime Besson
second factor type is not stored in history in case of a 2FA failure
### Summary
If you add the `_2f` session variable to `sessionDataToRemember`, you will only see the _2f variable in your login history if it succeeded
1FA failure:
```
# 'failedLogin' => [
# ...
### Summary
If you add the `_2f` session variable to `sessionDataToRemember`, you will only see the _2f variable in your login history if it succeeded
1FA failure:
```
# 'failedLogin' => [
# {
# '_auth' => 'Demo',
# ...
# },
```
2FA failure:
```
# 'failedLogin' => [
# {
# '_auth' => 'Demo',
# '_2f' => undef,
# ...
# },
```
### Design proposition
We should set the _2f variable even if 2FA failed, so it can be displayed in history
2.19.0
Maxime Besson
Maxime Besson
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3076
RefreshSession plugin doesn't work with choice
2024-03-26T12:29:14Z
Maxime Besson
RefreshSession plugin doesn't work with choice
### Affected version
Version: 2.18.1
### Summary
* Configure Auth::Choice
* Enable RefreshSession plugin
* Login
* refresh using the /refreshsession API
* it fails because _choice isn't set
### Logs
```
[debug] Start routing refres...
### Affected version
Version: 2.18.1
### Summary
* Configure Auth::Choice
* Enable RefreshSession plugin
* Login
* refresh using the /refreshsession API
* it fails because _choice isn't set
### Logs
```
[debug] Start routing refreshsessions
[notice] Refresh request for abarnes
[debug] [notice] Refresh request for abarnes
[debug] Processing getUser
[debug] Returned error: 9 (PE_FIRSTACCESS)
[warn] Refresh failed for session 1b4228c3aea6021e271c7ce7c8acccec663ac91f5c00dd02f9379e3b53495e5d
```
### Possible fixes
populate userData in $req with all sessions attribute (including _choice) before calling the portal refresh function:
```
diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/Refresh.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/Refresh.pm
index 6334b4508..8fd6935f4 100644
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/Refresh.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/Refresh.pm
@@ -36,6 +36,7 @@ sub run {
);
$req->id($id);
$req->user( $info->{uid} );
+ $req->userData( $sessions->{$id} );
my $res;
eval { $res = $self->p->refresh($req); };
if ($@) {
```
does it look ok for you @guimard ?
2.19.0
Maxime Besson
Maxime Besson
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3087
RefreshSession plugin creates group duplicates when multiple sessions are used
2024-03-26T12:28:10Z
Maxime Besson
RefreshSession plugin creates group duplicates when multiple sessions are used
### Affected version
Version: 2.18.1
### Summary
* Enable refresh session plugin
* Login as dwho twice
* Refresh sessions for dwho with the plugin
* Groups are duplicated in $groups
### Logs
```
Store users; timelords; users; timelo...
### Affected version
Version: 2.18.1
### Summary
* Enable refresh session plugin
* Login as dwho twice
* Refresh sessions for dwho with the plugin
* Groups are duplicated in $groups
### Logs
```
Store users; timelords; users; timelords in session key groups
```
2.19.0
Maxime Besson
Maxime Besson
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3102
Allow custom ordering in history session keys
2024-03-18T13:07:55Z
Maxime Besson
Allow custom ordering in history session keys
Surrently, session keys are displayed in the login history by alphabetical order
We should let users reorder them, for example using 1_xxx prefixes like we do for Choices
Surrently, session keys are displayed in the login history by alphabetical order
We should let users reorder them, for example using 1_xxx prefixes like we do for Choices
2.19.0
Abhishek Pai
Abhishek Pai
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2864
Can't locate XML/LibXML.pm; Can't locate LWP/UserAgent.pm
2024-03-15T14:01:48Z
Slaven Rezic
Can't locate XML/LibXML.pm; Can't locate LWP/UserAgent.pm
The test suite of COUDOT/Lemonldap-NG-Common-2.0.16.tar.gz fails on some of my smoker systems, probably due to undeclared dependencies:
```
# Failed test 'require './scripts/importMetadata';'
# at t/45-importMetadata-config.t line 7....
The test suite of COUDOT/Lemonldap-NG-Common-2.0.16.tar.gz fails on some of my smoker systems, probably due to undeclared dependencies:
```
# Failed test 'require './scripts/importMetadata';'
# at t/45-importMetadata-config.t line 7.
# Tried to require ''./scripts/importMetadata''.
# Error: Can't locate XML/LibXML.pm in @INC (you may need to install the XML::LibXML module) (@INC contains: ... .) at ./scripts/importMetadata line 10.
# BEGIN failed--compilation aborted at ./scripts/importMetadata line 10.
# Compilation failed in require at (eval 9) line 2.
# No tests run!
...
```
or
```
# Failed test 'require './scripts/importMetadata';'
# at t/45-importMetadata-config.t line 7.
# Tried to require ''./scripts/importMetadata''.
# Error: Can't locate LWP/UserAgent.pm in @INC (you may need to install the LWP::UserAgent module) (@INC contains: ... .) at ./scripts/importMetadata line 7.
# BEGIN failed--compilation aborted at ./scripts/importMetadata line 7.
# Compilation failed in require at (eval 8) line 2.
# No tests run!
...
```
2.16.2
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3120
Add unique HTTP request ID to logs
2024-03-12T15:12:18Z
Maxime Besson
Add unique HTTP request ID to logs
### Summary
Having a unique identifier for a HTTP request is a precious debugging tool.
There are some existing tools for this:
* Apache ``UNIQUE_ID``
* Nginx ``$request_id``
* ``X-Request-ID``, ``X-Correlation-ID`` etc.
### Design pr...
### Summary
Having a unique identifier for a HTTP request is a precious debugging tool.
There are some existing tools for this:
* Apache ``UNIQUE_ID``
* Nginx ``$request_id``
* ``X-Request-ID``, ``X-Correlation-ID`` etc.
### Design proposition
* Extend the request object with a new ``$req->request_id`` field populated from one of the previously mentionned sources
* Auto-generate a request_id if one isn't found
* Document how to easily enable ``request_id`` in logs
2.19.0
Maxime Besson
Maxime Besson
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3108
Digest::HMAC should be a required dependency
2024-03-11T13:27:24Z
Maxime Besson
Digest::HMAC should be a required dependency
### Affected version
Version: 2.18.2
### Summary
* Install LLNG on Centos8 without recommended dependencies
* Portal doesn't start
### Logs
```
Lemonldap::NG::Portal::Plugins::TrustedBrowser load error: Could not load class (Lemonl...
### Affected version
Version: 2.18.2
### Summary
* Install LLNG on Centos8 without recommended dependencies
* Portal doesn't start
### Logs
```
Lemonldap::NG::Portal::Plugins::TrustedBrowser load error: Could not load class (Lemonldap::NG::Common::TOTP) because : Can't locate Digest/HMAC_SHA1.pm in @INC
```
### Possible fixes
* Do not load TrustedBrowser by default
* OR: make Digest::HMAC a required dependency: probably makes more sense because TOTP is common these days
2.19.0
Maxime Besson
Maxime Besson