<divclass="notewarning">If you have <ahref="installrpm.html"class="wikilink1"title="documentation:2.0:installrpm">installed LemonLDAP::NG from official RPMs</a>, you may run into bug <ahref="https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1757"class="urlextern"title="https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1757"rel="nofollow">#1757</a> and lose your Apache configuration files while updating from LemonLDAP::NG 2.0.0 or 2.0.1 to later versions. Please backup your <code>/etc/httpd/conf.d/z-lemonldap-ng-*.conf</code> files before the update.
</div>
</div>
<!-- EDIT1 SECTION "Upgrade from 2.0.x to 2.0.y" [1-527] -->
<liclass="level1"><divclass="li"> Option was added to display generate password box in <ahref="resetpassword.html"class="wikilink1"title="documentation:2.0:resetpassword">password reset by mail plugin</a>. If you use this feature, you must enable this option, which is disabled by default.</div>
<liclass="level1"><divclass="li"> If you use the default _whatToTrace macro and a case insensitive authentication backend, then a user can generate several persistent sessions for the same login (see <ahref="https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1869"class="urlextern"title="https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1869"rel="nofollow">issue 1869</a>). This can lead to a security bug if you enabled 2FA, which rely on data stored in the persistent session. To fix this, either choose a unique attribute for _whatToTrace, either force lower case in your macro:</div>
<liclass="level1"><divclass="li"> The Text::Unidecode perl module becomes a requirement <em>(it will be automatically installed if you upgrade from from the deb or RPM repositories)</em></div>
</li>
<liclass="level1"><divclass="li"><abbrtitle="Central Authentication Service">CAS</abbr> logout starts validating the service= parameter, but only if you use the <abbrtitle="Central Authentication Service">CAS</abbr> Access control policy. The <abbrtitle="Uniform Resource Locator">URL</abbr> sent in the service= parameter will be checked against <ahref="idpcas.html#configuring_cas_applications"class="wikilink1"title="documentation:2.0:idpcas">known CAS applications</a>, Virtual Hosts, and <ahref="security.html#configure_security_settings"class="wikilink1"title="documentation:2.0:security">trusted domains</a>. Add your target domain to trusted domains if you suddenly start having "Invalid <abbrtitle="Uniform Resource Locator">URL</abbr>" messages on logout</div>
</li>
<liclass="level1"><divclass="li">Improvements in cryptographic functions: to take advantage of them, <strong>you must change the encryption key</strong> of LemonLDAP::NG (see <ahref="cli_examples.html#encryption_key"class="wikilink1"title="documentation:2.0:cli_examples">CLI example</a>).</div>
As usual, if you use more than 1 server and don't want to stop <abbrtitle="Single Sign On">SSO</abbr> service AND IF YOU HAVE NO INCOMPATIBILITY MENTIONED IN THIS DOCUMENT, upgrade must be done in the following order:
<liclass="level1"><divclass="li"> portal servers <em>(all together if your load balancer is stateless (user or client <abbrtitle="Internet Protocol">IP</abbr>) and if users use the menu)</em>;</div>
<liclass="level1"><divclass="li"><strong>lemonldap-ng.ini</strong> requires some new fields in portal section. Update yours using the one given installed by default. New requires fields are:</div>
<ul>
<liclass="level2"><divclass="li"><strong>staticPrefix</strong><em>(manager and portal)</em>: the path to static content</div>
</li>
<liclass="level2"><divclass="li"><strong>templateDir</strong><em>(manager and portal)</em>: the path to templates directory</div>
</li>
<liclass="level2"><divclass="li"><strong>languages</strong><em>(manager and portal)</em>: accepted languages</div>
</li>
</ul>
</li>
<liclass="level1"><divclass="li"> Portal skins are now in <code>/usr/share/lemonldap-ng/portal/templates</code>. See <ahref="portalcustom.html#skin_customization"class="wikilink1"title="documentation:2.0:portalcustom">skin customization</a> to adapt your templates.</div>
<liclass="level1"><divclass="li"> User module in authentication parameters now provides a "Same as authentication" value. You must revalidate it in the manager since all special values must be replaced by this <em>(Multi, Choice, Proxy, Slave, <abbrtitle="Security Assertion Markup Language">SAML</abbr>, OpenID*,...)</em></div>
<liclass="level1"><divclass="li"><strong>"Multi" doesn't exist anymore</strong>: it is replaced by <ahref="authcombination.html"class="wikilink1"title="documentation:2.0:authcombination">Combination</a>, a more powerful module.</div>
<liclass="level1"><divclass="li"> Option <code>trustedProxies</code> was removed, you must now configure your Web Server to manage <code>X-Forwarded-For</code> header, see <ahref="behindproxyminihowto.html"class="wikilink1"title="documentation:2.0:behindproxyminihowto">how to run LL::NG behind a reverse proxy</a>.</div>
</li>
</ul>
<divclass="noteimportant">Apache mod_perl has got lot of troubleshooting problems since 2.4 version <em>(many segfaults,...)</em>, especially when using MPM worker or MPM event. That's why <abbrtitle="LemonLDAP::NG">LL::NG</abbr> doesn't use anymore ModPerl::Registry: all is now handled by FastCGI <em>(portal and manager)</em>, except for Apache2 Handler.
Now portal has the same behavior than handlers: it looks to configuration stored in local cache every 10 minutes. So it has to be reload like every handler.
</p>
<divclass="noteimportant">If you want to use reload mechanism on a portal only host, you must install a handler in Portal host to be able to refresh local cache. Include <code>handler-nginx.conf</code> or <code>handler-apache2.conf</code> for example
Now LDAP connections are kept open to improve performances. To allow that, <abbrtitle="LemonLDAP::NG">LL::NG</abbr> requires an anonymous access to LDAP RootDSE entry to check connection.
<liclass="level1"><divclass="li"> A new <ahref="authkerberos.html"class="wikilink1"title="documentation:2.0:authkerberos">Kerberos</a> authentication backend has been added since 2.0. This module solves many Kerberos integration problems <em>(usage in conjunction with other backends, better error display,…)</em>. However, you can retain the old integration manner <em>(using <ahref="authapache.html"class="wikilink1"title="documentation:2.0:authapache">Apache authentication module</a>)</em>.</div>
</li>
<liclass="level1"><divclass="li"> For <ahref="authssl.html"class="wikilink1"title="documentation:2.0:authssl">SSL</a>, a new <ahref="authssl.html#ssl_by_ajax"class="wikilink1"title="documentation:2.0:authssl">Ajax option</a> can be used in the same idea: so SSL can be used in conjunction with other backends.</div>
<liclass="level1"><divclass="li"><strong>Syslog</strong>: logs are now configured in <code>lemonldap-ng.ini</code> file only. If you use Syslog, you must reconfigure it. See <ahref="logs.html"class="wikilink1"title="documentation:2.0:logs">logs</a> for more.</div>
<liclass="level1"><divclass="li"><strong>Apache2</strong>: Portal doesn't use anymore Apache2 logger. Logs are always written to Apache error.log but Apache "LogLevel" parameter has no more effect on it. Portal is now a FastCGI application and doesn't use anymore ModPerl. See <ahref="logs.html"class="wikilink1"title="documentation:2.0:logs">logs</a> for more.</div>
<liclass="level1"><divclass="li"> If you are running behind a proxy, make sure LemonLDAP::NG can <ahref="behindproxyminihowto.html"class="wikilink1"title="documentation:2.0:behindproxyminihowto">see the original IP address</a> of incoming HTTP connections</div>
<liclass="level1"><divclass="li"><ahref="https://en.wikipedia.org/wiki/Cross-site_request_forgery"class="urlextern"title="https://en.wikipedia.org/wiki/Cross-site_request_forgery"rel="nofollow">CSRF</a> protection <em>(Cross-Site Request Forgery)</em>: a token is build for each form. To disable it, set requireToken to 0 <em>(portal security parameters in the manager)</em></div>
</li>
<liclass="level1"><divclass="li"><ahref="https://en.wikipedia.org/wiki/Content_Security_Policy"class="urlextern"title="https://en.wikipedia.org/wiki/Content_Security_Policy"rel="nofollow">Content-Security-Policy</a> header: portal build dynamically this header. You can modify default values in the manager <em>(Général parameters » Advanced parameters » Security » Content-Security-Policy)</em></div>
<liclass="level2"><divclass="li"><strong>Apache handler</strong> is now Lemonldap::NG::Handler::ApacheMP2 and Menu is now Lemonldap::NG::Handler::ApacheMP2::Menu</div>
<liclass="level2"><divclass="li"> because of an Apache behaviour change, PerlHeaderParserHandler must no more be used with "reload" URLs <em>(replaced by PerlResponseHandler)</em>. Any "reload url" that are inside a protected vhost must be unprotected in vhost rules <em>(protection has to be done by web server configuration)</em>.</div>
<liclass="level1"><divclass="li"><ahref="cda.html"class="wikilink1"title="documentation:2.0:cda">CDA</a>, <ahref="documentation/latest/applications/zimbra.html"class="wikilink1"title="documentation:latest:applications:zimbra">ZimbraPreAuth</a>, <ahref="securetoken.html"class="wikilink1"title="documentation:2.0:securetoken">SecureToken</a> and <ahref="handlerauthbasic.html"class="wikilink1"title="documentation:2.0:handlerauthbasic">AuthBasic</a> are now <ahref="handlerarch.html"class="wikilink1"title="documentation:2.0:handlerarch">Handler Types</a>. So there is no more special file to load: you just have to choose "VirtualHost type" in the manager/VirtualHosts.</div>
<liclass="level1"><divclass="li"><ahref="ssocookie.html"class="wikilink1"title="documentation:2.0:ssocookie">SSOCookie</a>: Since Firefox 60 and Chrome 68, "+2d, +5M, 12h and so on..." cookie expiration time notation is no more supported. CookieExpiration value is a number of seconds until the cookie expires. A zero or negative number will expire the cookie immediately.</div>
<liclass="level1"><divclass="li"> hostname() and remote_ip() are no more provided to avoid some name conflicts <em>(replaced by $ENV{})</em></div>
</li>
<liclass="level1"><divclass="li"><code>$ENV{<cgi_variable>}</code> is now available everywhere: see <ahref="writingrulesand_headers.html"class="wikilink1"title="documentation:2.0:writingrulesand_headers">Writing rules and headers</a></div>
</li>
<liclass="level1"><divclass="li"> some variable names have changed. See <ahref="variables.html"class="wikilink1"title="documentation:2.0:variables">variables</a> document</div>
Before 2.0, an Ajax query launched after session timeout received a 302 code. Now a 401 HTTP code is returned. <code>WWW-Authenticate</code> header contains: <code><abbrtitle="Single Sign On">SSO</abbr><portal-<abbrtitle="Uniform Resource Locator">URL</abbr>></code>
<liclass="level1"><divclass="li"> SOAP server activation is now split in 2 parameters (configuration/sessions). You must set them else SOAP service will be disabled</div>
<liclass="level1"><divclass="li"> Notifications are now REST/JSON by default. You can force old format in the manager. Note that SOAP proxy has changed: <ahref="http://portal/notifications"class="urlextern"title="http://portal/notifications"rel="nofollow">http://portal/notifications</a> now.</div>
<liclass="level1"><divclass="li"> If you use "adminSessions" endpoint with "singleSession*" features, you must upgrade all portals simultaneously</div>
<divclass="noteimportant"><ahref="handlerauthbasic.html"class="wikilink1"title="documentation:2.0:handlerauthbasic">AuthBasic Handler</a> uses now REST services instead of SOAP.
<abbrtitle="Central Authentication Service">CAS</abbr> authentication module no more use perl <abbrtitle="Central Authentication Service">CAS</abbr> client, but our own code. You can now define several <abbrtitle="Central Authentication Service">CAS</abbr> servers in a specific branch in Manager, like you can define several <abbrtitle="Security Assertion Markup Language">SAML</abbr> or OpenID Connect providers.
</p>
<p>
<abbrtitle="Central Authentication Service">CAS</abbr> issuer module has also been improved, you must modify the configuration of <abbrtitle="Central Authentication Service">CAS</abbr> clients to move them from virtual host branch to <abbrtitle="Central Authentication Service">CAS</abbr> client branch.
Portal has now many REST features and includes an <abbrtitle="Application Programming Interface">API</abbr> plugin. See Portal manpages to learn how to write auth modules, issuers or other features.
Requests are independent objects based on Lemonldap::NG::Portal::Main::Request which inherits from Lemonldap::NG::Common::PSGI::Request which inherits from Plack::Request. See manpages for more.
Handler libraries have been totally rewritten. If you've made custom handlers, they must be rewritten, see <ahref="customhandlers.html"class="wikilink1"title="documentation:2.0:customhandlers">customhandlers</a>.
If you used self protected CGI, you also need to rewrite them, see <ahref="selfmadeapplication.html#perl_auto-protected_cgi"class="wikilink1"title="documentation:2.0:selfmadeapplication">documentation</a>.