Commit 051a8e43 authored by Yadd's avatar Yadd
Browse files

Merge branch 'v2.0'

parents a3b24418 2e9e1660
......@@ -64,7 +64,7 @@ build_centos_7:
script:
- rm -f /etc/yum.repos.d/CentOS-Sources.repo
- yum -y install epel-release
- make rpm-dist
- make dist
- ci-build-pkg
build_centos_8:
......@@ -74,7 +74,7 @@ build_centos_8:
- yum-config-manager --enable PowerTools
- yum-config-manager --enable AppStream
- yum -y install epel-release
- make rpm-dist
- make dist
- ci-build-pkg
sign:
......@@ -91,7 +91,7 @@ sign:
- build_buster
- build_bionic
- build_centos_7
# - build_centos_8
- build_centos_8
artifacts:
expire_in: 1 day
paths:
......
......@@ -1085,23 +1085,13 @@ manager_uninstall: manager
dist: clean
@mkdir -p lemonldap-ng-$(VERSION)
@cp -pRH $$(find * -maxdepth 0|grep -v -e "\(lemonldap-ng-$(VERSION)\|debian\|rpm\)") lemonldap-ng-$(VERSION)
@cp -pRH $$(find * -maxdepth 0|grep -v -e "lemonldap-ng-$(VERSION)") lemonldap-ng-$(VERSION)
@find $$dir -name '*.bak' -delete
@rm -rf lemonldap-ng-$(VERSION)/lemonldap-ng-$(VERSION)
@rm -rf lemonldap-ng-$(VERSION)/node_modules
@$(COMPRESS) lemonldap-ng-$(VERSION).$(COMPRESSSUFFIX) lemonldap-ng-$(VERSION)
@rm -rf lemonldap-ng-$(VERSION)
rpm-dist: clean
@mkdir -p lemonldap-ng-$(VERSION)
@cp -pRH $$(find * -maxdepth 0|grep -v -e "\(lemonldap-ng-$(VERSION)\|debian\)") lemonldap-ng-$(VERSION)
@find $$dir -name '*.bak' -delete
@rm -rf lemonldap-ng-$(VERSION)/lemonldap-ng-$(VERSION)
@rm -rf lemonldap-ng-$(VERSION)/node_modules
@$(COMPRESS) lemonldap-ng-$(VERSION).$(COMPRESSSUFFIX) lemonldap-ng-$(VERSION)
@rm -rf lemonldap-ng-$(VERSION)
debian-dist: clean
@mkdir -p lemonldap-ng-$(VERSION)
@cp -pRH $$(find * -maxdepth 0|grep -v -e "\(lemonldap-ng-$(VERSION)\|rpm\)") lemonldap-ng-$(VERSION)
......
......@@ -60,10 +60,7 @@ $ make clean && make dist
- RedHat packaging:
Create the RPM specific tarball:
$ make clean && make rpm-dist
Next steps: see rpm/README
See rpm/README
- Debian packaging:
......@@ -87,7 +84,7 @@ Upload modules tarballs (generated by make cpan)
- OW2 Release:
Upload dist and bundles on sftp://release-up.ow2.org/projects/lemonldap
- RPM: see rpm/REDAME
- RPM: see rpm/README
- DEB:
The DEB repository is hosted on https://lemonldap-ng.org/deb
......
......@@ -895,6 +895,11 @@
"default" : "HS512",
"enum" : [ "none", "RS256", "RS384", "RS512" ]
},
"userInfoSignAlg" : {
"type" : "string",
"default" : "",
"enum" : [ "", "none", "HS256", "HS384", "HS512", "RS256", "RS384", "RS512" ]
},
"accessTokenJWT" : {
"type" : "bool"
},
......@@ -34,6 +34,7 @@ Applications
applications/nextcloud
applications/obm
applications/office365
applications/publik
applications/phpldapadmin
applications/roundcube
applications/salesforce
......@@ -113,6 +114,7 @@ Application Configuration
.. image:: applications/nextcloud-logo.png :doc:`NextCloud<applications/nextcloud>` ✔
.. image:: applications/obm_logo.png :doc:`OBM<applications/obm>` ✔
.. image:: applications/logo_office_365.png :doc:`Office 365<applications/office365>` ✔
.. image:: applications/logo-publik.png :doc:`Publik<applications/publik>` ✔
.. image:: applications/phpldapadmin_logo.png :doc:`phpLDAPAdmin<applications/phpldapadmin>` ✔
.. image:: applications/roundcube_logo.png :doc:`Roundcube<applications/roundcube>` ✔
.. image:: applications/salesforce-logo.jpg :doc:`SalesForce<applications/salesforce>` ✔
......
Publik
=======
|image0|
Presentation
------------
Publik is an open-source citizen relationship management tool.
See `the official Publik website <https://publik.entrouvert.com/>`__ for a
complete presentation.
It feature an OpenID Connect login that work with LemonLDAP::NG.
Configuring Publik
-------------------
Connect to your publik instance authentic2 webui with an Admin user, in the admin panel, go to "Authentic2_Auth_Oidc" › "Oidc providers".
Click on "Add Oidc Provider".
* Name : LemonLDAP SSO
* Short id : lemonldap
* Provider : https://auth.example.com/
* Client id : clientid
* Client secret : secret
* Authorization endpoint : https://auth.example.com/oauth2/authorize
* Token endpoint : https://auth.example.com/oauth2/token
* Userinfo endpoint : https://auth.example.com/oauth2/userinfo
* End session endpont : https://auth.example.com/oauth2/logout
* WebKey JSON : Copy/Paste the content of https://auth.example.com/oauth2/jwks
* Claims Enabled : yes
* Show on connection page : yes
Strategy and Collectivity can be configured based to your needs.
OIDC Claim mappings can be configured based on your needs.
Configuring LemonLDAP
~~~~~~~~~~~~~~~~~~~~~
We now have to configure LemonLDAP::NG to recognize publik as a valid OIDC relying party.
Add a :doc:`new OpenID Connect relying party<..//idpopenidconnect>`
with the following parameters (Options -> Basic) :
* **Client ID**: the same you set in Publik configuration.
* **Client Secret**: the same you set in Publik configuration.
* **Allowed redirection addresses for login**: The "Callback URL" for authentic2 : https://authentic2-instance/accounts/oidc/callback/
.. |image0| image:: /applications/logo-publik.png
:class: align-center
......@@ -11,6 +11,13 @@ repeatedly trying to guess the password of an user. If disabled,
automated tools may submit thousands of password attempts in a matter of
seconds.
.. attention::
This plugin relies on the Login History, stored in users' persistent sessions.
This means that the authentication and persistent session backends will be
accessed for every login attempt, even fraudulent ones. This plugin is not
meant to protect against denial of service attacks.
Configuration
-------------
......
......@@ -314,6 +314,11 @@ Options
(RSXXX) or HMAC (HSXXX) based signature algorithms
- **Access Token signature algorithm**: Select one of the available public
key signature algorithms
- **Userinfo signature algorithm** (since version ``2.0.12``): Select one
of the available signature algorithms to release user information as a JWT
on the ``/userinfo`` endpoint. If this option is left empty, user
information will be released as a plain JSON object. The ``None`` value
will release user information as an unsigned JWT.
- **Require PKCE** (since version ``2.0.4``): a code challenge is
required at token endpoint (see
`RFC7636 <https://tools.ietf.org/html/rfc7636>`__)
......
......@@ -51,17 +51,19 @@ protected from being impersonated.
.. attention::
Both spoofed and real session attributes can be used to
set access rules, groups or macros.
By example : ``$real_uid eq 'dwho'`` or ``$real_groups =~ /\bsu\b/``
By example : ``$real_uid && $real_uid eq 'dwho'`` or ``$real_groups && $real_groups =~ /\bsu\b/``
Keep in mind that real session is computed first. Afterward, if access
is granted, impersonated session is computed with real and spoofed
session attributes if Impersonation is allowed.
So, ``real_`` attributes are computed by second authentication process.
To avoid Perl warnings, you have to prefix regex with ``$real_var &&``.
.. attention::
......
......@@ -89,7 +89,7 @@ configuration.
|image0|
To set your own background, copy your file in
``/usr/share/lemonldap-ng/portal/htdocs/skins/common/backgrounds/`` and
``/usr/share/lemonldap-ng/portal/htdocs/static/common/backgrounds/`` and
register it in ``/etc/lemonldap-ng/lemonldap-ng.ini``:
.. code-block:: ini
......
......@@ -354,7 +354,7 @@ Go in Manager, ``General parameters`` » ``Advanced parameters`` »
to disable CSRF token by setting a special rule based on callers IP
address like this :
requireToken => $env->{REMOTE_ADDR} !~ /^127\.0\.[1-3]\.1$/
requireToken => $env->{REMOTE_ADDR} && $env->{REMOTE_ADDR} !~ /^127\.0\.[1-3]\.1$/
.. danger::
......
......@@ -54,6 +54,15 @@ You can then remove them with ::
lemonldap-ng-sessions delete <session_id> <session_id> <etc.>
Brute-force protection plugin may cause duplicate persistent sessions
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Because of `bug #2482 <https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2482>`__ , some users may notice that the persistent session database is filling with duplicate sessions. Some examples include:
* An uppercase version of the regular persistent session (dwho vs DWHO)
* An unqualified version (dwho vs dwho@idp.com)
This bug was fixed in 2.0.12, but administrators are advised to clean up their persistent session database to remove any duplicate persistent sessions remaining after the upgrade.
2.0.11
------
......
......@@ -1213,6 +1213,18 @@ components:
- RS384
- RS512
default: HS512
userInfoSignAlg:
type: string
enum:
- ""
- none
- HS256
- HS384
- HS512
- RS256
- RS384
- RS512
default: ""
accessTokenJWT:
type: bool
accessTokenClaims:
......
......@@ -27,7 +27,7 @@ our $specialNodeKeys = '(?:(?:(?:saml(?:ID|S)|oidc[OR])P|cas(?:App|Srv))MetaData
our $casAppMetaDataNodeKeys = 'casAppMetaData(?:Options(?:(?:UserAttribut|Servic|Rul)e|AuthnLevel)|(?:ExportedVar|Macro)s)';
our $casSrvMetaDataNodeKeys = 'casSrvMetaData(?:Options(?:ProxiedServices|DisplayName|SortNumber|Gateway|Renew|Icon|Url)|ExportedVars)';
our $oidcOPMetaDataNodeKeys = 'oidcOPMetaData(?:Options(?:C(?:lient(?:Secret|ID)|heckJWTSignature|onfigurationURI)|S(?:toreIDToken|ortNumber|cope)|TokenEndpointAuthMethod|(?:JWKSTimeou|Promp)t|I(?:DTokenMaxAge|con)|U(?:iLocales|seNonce)|Display(?:Name)?|AcrValues|MaxAge)|ExportedVars|J(?:SON|WKS))';
our $oidcRPMetaDataNodeKeys = 'oidcRPMetaData(?:Options(?:A(?:llow(?:(?:ClientCredentials|Password)Grant|Offline)|ccessToken(?:Expiration|SignAlg|Claims|JWT)|uth(?:orizationCodeExpiration|nLevel)|dditionalAudiences)|I(?:DToken(?:ForceClaims|Expiration|SignAlg)|con)|R(?:e(?:directUris|freshToken|quirePKCE)|ule)|Logout(?:SessionRequired|Type|Url)|P(?:ostLogoutRedirectUris|ublic)|OfflineSessionExpiration|Client(?:Secret|ID)|BypassConsent|DisplayName|ExtraClaims|UserIDAttr)|(?:ExportedVar|ScopeRule|Macro)s)';
our $oidcRPMetaDataNodeKeys = 'oidcRPMetaData(?:Options(?:A(?:llow(?:(?:ClientCredentials|Password)Grant|Offline)|ccessToken(?:Expiration|SignAlg|Claims|JWT)|uth(?:orizationCodeExpiration|nLevel)|dditionalAudiences)|I(?:DToken(?:ForceClaims|Expiration|SignAlg)|con)|R(?:e(?:directUris|freshToken|quirePKCE)|ule)|Logout(?:SessionRequired|Type|Url)|P(?:ostLogoutRedirectUris|ublic)|UserI(?:nfoSignAlg|DAttr)|OfflineSessionExpiration|Client(?:Secret|ID)|BypassConsent|DisplayName|ExtraClaims)|(?:ExportedVar|ScopeRule|Macro)s)';
our $samlIDPMetaDataNodeKeys = 'samlIDPMetaData(?:Options(?:(?:Check(?:S[LS]OMessageSignatur|Audienc|Tim)|EncryptionMod|UserAttribut|DisplayNam)e|S(?:ign(?:S[LS]OMessage|atureMethod)|toreSAMLToken|[LS]OBinding|ortNumber)|A(?:llow(?:LoginFromIDP|ProxiedAuthn)|daptSessionUtime)|Re(?:questedAuthnContext|solutionRule|layStateURL)|Force(?:Authn|UTF8)|I(?:sPassive|con)|NameIDFormat)|ExportedAttributes|XML)';
our $samlSPMetaDataNodeKeys = 'samlSPMetaData(?:Options(?:S(?:ign(?:S[LS]OMessage|atureMethod)|essionNotOnOrAfterTimeout)|N(?:ameID(?:SessionKey|Format)|otOnOrAfterTimeout)|(?:CheckS[LS]OMessageSignatur|OneTimeUs|Rul)e|En(?:ableIDPInitiatedURL|cryptionMode)|AuthnLevel|ForceUTF8)|(?:ExportedAttribute|Macro)s|XML)';
our $virtualHostKeys = '(?:vhost(?:A(?:ccessToTrace|uthnLevel|liases)|(?:Maintenanc|Typ)e|ServiceTokenTTL|Https|Port)|(?:exportedHeader|locationRule)s|post)';
......
......@@ -122,7 +122,7 @@ sub encrypt {
}
sub token {
return encrypt( join( ':', time, @_ ) );
return $_[0] ? encrypt( join( ':', time, @_ ) ) : encrypt(time);
}
## @method reval
......
......@@ -139,7 +139,9 @@ sub run {
}
# Try to recover cookie and user session
if ( $id = $class->fetchId($req)
$id = $class->fetchId($req);
$class->data( {} ) unless($id);
if ( $id
and $session = $class->retrieveSession( $req, $id ) )
{
......
......@@ -2453,6 +2453,43 @@ m[^(?:ldapi://[^/]*/?|\w[\w\-\.]*(?::\d{1,5})?|ldap(?:s|\+tls)?://\w[\w\-\.]*(?:
'oidcRPMetaDataOptionsUserIDAttr' => {
'type' => 'text'
},
'oidcRPMetaDataOptionsUserInfoSignAlg' => {
'default' => '',
'select' => [ {
'k' => '',
'v' => ''
},
{
'k' => 'none',
'v' => 'None'
},
{
'k' => 'HS256',
'v' => 'HS256'
},
{
'k' => 'HS384',
'v' => 'HS384'
},
{
'k' => 'HS512',
'v' => 'HS512'
},
{
'k' => 'RS256',
'v' => 'RS256'
},
{
'k' => 'RS384',
'v' => 'RS384'
},
{
'k' => 'RS512',
'v' => 'RS512'
}
],
'type' => 'select'
},
'oidcRPMetaDataScopeRules' => {
'default' => {},
'test' => {
......
......@@ -4262,6 +4262,20 @@ m{^(?:ldapi://[^/]*/?|\w[\w\-\.]*(?::\d{1,5})?|ldap(?:s|\+tls)?://\w[\w\-\.]*(?:
],
default => 'RS256',
},
oidcRPMetaDataOptionsUserInfoSignAlg => {
type => 'select',
select => [
{ k => '', v => '' },
{ k => 'none', v => 'None' },
{ k => 'HS256', v => 'HS256' },
{ k => 'HS384', v => 'HS384' },
{ k => 'HS512', v => 'HS512' },
{ k => 'RS256', v => 'RS256' },
{ k => 'RS384', v => 'RS384' },
{ k => 'RS512', v => 'RS512' },
],
default => '',
},
oidcRPMetaDataOptionsAccessTokenJWT => { type => 'bool', default => 0 },
oidcRPMetaDataOptionsAccessTokenClaims =>
{ type => 'bool', default => 0 },
......
......@@ -224,6 +224,7 @@ sub cTrees {
nodes => [
'oidcRPMetaDataOptionsIDTokenSignAlg',
'oidcRPMetaDataOptionsAccessTokenSignAlg',
'oidcRPMetaDataOptionsUserInfoSignAlg',
'oidcRPMetaDataOptionsRequirePKCE',
'oidcRPMetaDataOptionsAllowOffline',
'oidcRPMetaDataOptionsAllowPasswordGrant',
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment