As usual, if you use more than 1 server and don't want to stop the <abbrtitle="Single Sign On">SSO</abbr> service AND IF YOU HAVE NO INCOMPATIBILITY MENTIONED IN THIS DOCUMENT, upgrade must be done in the following order:
</p>
<ol>
<liclass="level1"><divclass="li"> servers that have only handlers;</div>
</li>
<liclass="level1"><divclass="li"> portal servers <em>(all together if your load balancer doesn't keep state by user or client <abbrtitle="Internet Protocol">IP</abbr> and if users use the menu)</em>;</div>
<liclass="level1"><divclass="li"> User module in authentication parameters now provides a “Same as authentication” value. You must revalidate it in the manager since all special values must be replaced by this <em>(Multi, Choice, Proxy, Slave, <abbrtitle="Security Assertion Markup Language">SAML</abbr>, OpenID*,…)</em></div>
</li>
<liclass="level1"><divclass="li"><strong>“Multi” doesn't exist anymore</strong>: it is replaced by the more powerful <ahref="authcombination.html"class="wikilink1"title="documentation:2.0:authcombination">Combination</a></div>
<divclass="noteimportant">Apache mod_perl has a lot of issues since version 2.4 <em>(many segfaults,…)</em>, especially when using mpm-worker. That's why <abbrtitle="LemonLDAP::NG">LL::NG</abbr> doesn't use anymore ModPerl::Registry: all is now handled by FastCGI <em>(portal and manager)</em>.
<h2class="sectionedit5"id="kerberos_or_ssl_usage">Kerberos or SSL usage</h2>
<divclass="level2">
<ul>
<liclass="level1"><divclass="li"> A new <ahref="authkerberos.html"class="wikilink1"title="documentation:2.0:authkerberos">Kerberos</a> authentication backend has been added since 2.0. This module solves many Kerberos integration problems <em>(usage in conjunction with other backends, better error display,…)</em>. However, you can retain the old integration manner <em>(using <ahref="authapache.html"class="wikilink1"title="documentation:2.0:authapache">Apache authentication module</a>)</em>.</div>
</li>
<liclass="level1"><divclass="li"> For <ahref="authssl.html"class="wikilink1"title="documentation:2.0:authssl">SSL</a>, a new <ahref="authssl.html#ssl_by_ajax"class="wikilink1"title="documentation:2.0:authssl">Ajax option</a> can be used in the same idea: so SSL can be used in conjunction with other backends.</div>
<liclass="level1"><divclass="li"><strong>Syslog</strong>: logs are now configured only in <code>lemonldap-ng.ini</code> file. If you use Syslog, you must reconfigure it. See <ahref="logs.html"class="wikilink1"title="documentation:2.0:logs">logs</a> for more.</div>
</li>
<liclass="level1"><divclass="li"><strong>Apache2</strong>: Portal doesn't use anymore Apache2 logger. Logs continue to be written to Apache error.log but Apache “LogLevel” parameter has no effet on it: portal is now a FastCGI application and doesn't use anymore ModPerl. See <ahref="logs.html"class="wikilink1"title="documentation:2.0:logs">logs</a> for more.</div>
<liclass="level1"><divclass="li"><ahref="https://en.wikipedia.org/wiki/Cross-site_request_forgery"class="urlextern"title="https://en.wikipedia.org/wiki/Cross-site_request_forgery"rel="nofollow">CSRF</a> protection <em>(Cross-Site Request Forgery)</em>: a token is build for each form. To disable it, set requireToken to 0 <em>(portal security parameters in the manager)</em></div>
</li>
<liclass="level1"><divclass="li"><ahref="https://en.wikipedia.org/wiki/Content_Security_Policy"class="urlextern"title="https://en.wikipedia.org/wiki/Content_Security_Policy"rel="nofollow">Content-Security-Policy</a> header: portal build dynamically this header. You can modify default values in the manager <em>(Général parameters » Advanced parameters » Security » Content-Security-Policy)</em></div>
<liclass="level1"><divclass="li"><ahref="cda.html"class="wikilink1"title="documentation:2.0:cda">CDA</a>, <ahref="documentation/latest/applications/zimbra.html"class="wikilink1"title="documentation:latest:applications:zimbra">ZimbraPreAuth</a>, <ahref="securetoken.html"class="wikilink1"title="documentation:2.0:securetoken">SecureToken</a> and <ahref="handlerauthbasic.html"class="wikilink1"title="documentation:2.0:handlerauthbasic">AuthBasic</a> are now <ahref="handlerarch.html"class="wikilink1"title="documentation:2.0:handlerarch">Handler Types</a>. So there is no more special file to load: you just have to choose “VirtualHost type” in the manager/VirtualHosts.</div>
</li>
<liclass="level1"><divclass="li"><strong>Apache only</strong>: because of an Apache behaviour change, PerlHeaderParserHandler must no more be used with “reload” URLs <em>(replaced by PerlResponseHandler)</em>. Any “reload url” that are inside a protected vhost must be unprotected in vhost rules <em>(protection has to be done by web server configuration)</em>.</div>
<liclass="level1"><divclass="li"> hostname() and remote_ip() are no more provided to avoid some name conflicts <em>(replaced by $ENV{})</em></div>
</li>
<liclass="level1"><divclass="li"><code>$ENV{<cgi_variable>}</code> is now available everywhere: see <ahref="writingrulesand_headers.html"class="wikilink1"title="documentation:2.0:writingrulesand_headers">Writing rules and headers</a></div>
</li>
<liclass="level1"><divclass="li"> some variable names have changed. See <ahref="variables.html"class="wikilink1"title="documentation:2.0:variables">variables</a> document</div>
Before 2.0, an Ajax query that was launched after session timeout received a 302 code. Now a 401 HTTP code is given in response. The <code>WWW-Authenticate</code> header contains: <code><abbrtitle="Single Sign On">SSO</abbr><portal-<abbrtitle="Uniform Resource Locator">URL</abbr>></code>
<liclass="level1"><divclass="li"> SOAP server activation is now split in 2 parameters (configuration/sessions). You must set them else SOAP service will be disabled</div>
<liclass="level1"><divclass="li"> Notifications are now REST/JSON by default. You can force old format in the manager. Note that SOAP proxy has changed: <ahref="http://portal/notifications"class="urlextern"title="http://portal/notifications"rel="nofollow">http://portal/notifications</a> now.</div>
<liclass="level1"><divclass="li"> If you use “adminSessions” endpoint with “singleSession*” features, you must upgrade all portals in the same time</div>
</li>
<liclass="level1"><divclass="li"> SOAP services can be replaced by new REST services</div>
<divclass="noteimportant"><ahref="handlerauthbasic.html"class="wikilink1"title="documentation:2.0:handlerauthbasic">AuthBasic Handler</a> uses now REST services instead of SOAP.
Portal has now many REST features and includes a plugin <abbrtitle="Application Programming Interface">API</abbr>. See Portal manpages to see how to write auth modules, issuers or other feature.
Portal is no more a big CGI object. it is written for Plack/PSGI. Little resume
</p>
<preclass="file">Portal object
|
+-> auth module
|
+-> userDB module
|
+-> issuer modules
|
+-> other plugins (notification,...)</pre>
<p>
The request is a separated object based on Lemonldap::NG::Portal::Main::Request which inherits from Lemonldap::NG::Common::PSGI::Request which inherits from Plack::Request. See manpages for more.
Handler libraries have been totally rewritten. If you've made custom handlers, they must be rewritten, see <ahref="customhandlers.html"class="wikilink1"title="documentation:2.0:customhandlers">customhandlers</a>.
</p>
<p>
If you had auto protected CGI, you also need to rewrite them, see <ahref="selfmadeapplication.html#perl_auto-protected_cgi"class="wikilink1"title="documentation:2.0:selfmadeapplication">documentation</a>.