<divclass="notewarning">If you have <ahref="installrpm.html"class="wikilink1"title="documentation:2.0:installrpm">installed LemonLDAP::NG from official RPMs</a>, you may run into bug <ahref="https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1757"class="urlextern"title="https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1757"rel="nofollow">#1757</a> and lose your Apache configuration files while updating from LemonLDAP::NG 2.0.0 or 2.0.1 to later versions. Please backup your <code>/etc/httpd/conf.d/z-lemonldap-ng-*.conf</code> files before the update.
</div>
</div>
<!-- EDIT1 SECTION "Upgrade from 2.0.x to 2.0.y" [1-527] -->
<liclass="level1"><divclass="li"> New dependency: Perl module Time::Fake is now required to run unit test and build packages, but should not be mandatory to run the software.</div>
</li>
<liclass="level1"><divclass="li"> Nginx configuration: some changes are required to allow IPv6, see <ahref="https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/2152"class="urlextern"title="https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/2152"rel="nofollow">#2152</a></div>
</li>
<liclass="level1"><divclass="li"> Option <code>singleSessionUserByIP</code> was removed, see <ahref="https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/2159"class="urlextern"title="https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/2159"rel="nofollow">#2159</a></div>
</li>
<liclass="level1"><divclass="li"> A memory leak was found in perl-fcgi with Perl < 5.18, a workaround is possible with Apache and llng-fastcgi-server, see <ahref="https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1314"class="urlextern"title="https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1314"rel="nofollow">#1314</a></div>
<ul>
<liclass="level2"><divclass="li"> With Apache: set <code>FcgidMaxRequestsPerProcess 500</code> in portal virtual host</div>
</li>
<liclass="level2"><divclass="li"> With llng-fastcgi-server: set <code>PM_MAX_REQUESTS=500</code> in llng-fastcgi-server service configuration</div>
</li>
</ul>
</li>
<liclass="level1"><divclass="li"> Cookie <code>SameSite</code> value: to avoid problems with recent browsers, <abbrtitle="Security Assertion Markup Language">SAML</abbr> POST binding, LLNG cookies are now tagged as "<strong>SameSite=None</strong>". You can change this value using manager, "<strong>SameSite=Lax</strong>" is best for installations without federations. <strong>Important note</strong>: if you're using an unsecured connection <em>(http:// instead of https://)</em>, "SameSite=None" will be ignored by browsers and users that already have a valid session might be prompted to login again.</div>
</li>
<liclass="level1"><divclass="li"> OAuth2.0 Handler: a VHost protected by the OAuth2.0 handler will now return a 401 when called without an Access Token, instead of redirecting to the portal, as specified by <ahref="https://tools.ietf.org/html/rfc6750"class="urlextern"title="https://tools.ietf.org/html/rfc6750"rel="nofollow">RFC6750</a></div>
<liclass="level2"><divclass="li"><ahref="https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/2040"class="urlextern"title="https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/2040"rel="nofollow">#2040</a>: Configuration of a redirection <abbrtitle="Uniform Resource Identifier">URI</abbr> for an OpenID Connect Relying Party is now mandatory, as defined in the specifications. If you save your configuration, you will have an error if some of your RP don't have a redirect <abbrtitle="Uniform Resource Identifier">URI</abbr> configured.</div>
</li>
<liclass="level2"><divclass="li"><ahref="https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1943"class="urlextern"title="https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1943"rel="nofollow">#1943</a> / <ahref="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19791"class="urlextern"title="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19791"rel="nofollow">CVE-2019-19791</a>: along with the patch provided in 2.0.7 in <code>Lemonldap/NG/Common/PSGI/Request.pm</code>, Apache rewrite rule must be updated to avoid an unprotected access to REST services:</div>
<liclass="level2"><divclass="li"> Option <code>checkTime</code> was enabled by default in <code>lemonldap-ng.ini</code>, this let the portal check the configuration immediately instead of waiting for configuration cache expiration. You can keep this option enabled unless you need strong <ahref="performances.html"class="wikilink1"title="documentation:2.0:performances">performances</a>.</div>
<liclass="level1"><divclass="li"> Option was added to display generate password box in <ahref="resetpassword.html"class="wikilink1"title="documentation:2.0:resetpassword">password reset by mail plugin</a>. If you use this feature, you must enable this option, which is disabled by default.</div>
<liclass="level1"><divclass="li"> If you use the default _whatToTrace macro and a case insensitive authentication backend, then a user can generate several persistent sessions for the same login (see <ahref="https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1869"class="urlextern"title="https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1869"rel="nofollow">issue 1869</a>). This can lead to a security bug if you enabled 2FA, which rely on data stored in the persistent session. To fix this, either choose a unique attribute for _whatToTrace, either force lower case in your macro:</div>
<liclass="level1"><divclass="li"> On CentOS 7 / RHEL 7, a system upgrade breaks ImageMagick, which is used to display captchas (see <ahref="https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1951"class="urlextern"title="https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1951"rel="nofollow">#1951</a>). To fix this, you can run the following commands:</div>
<liclass="level1"><divclass="li"> The Text::Unidecode perl module becomes a requirement <em>(it will be automatically installed if you upgrade from from the deb or RPM repositories)</em></div>
</li>
<liclass="level1"><divclass="li"><abbrtitle="Central Authentication Service">CAS</abbr> logout starts validating the service= parameter, but only if you use the <abbrtitle="Central Authentication Service">CAS</abbr> Access control policy. The <abbrtitle="Uniform Resource Locator">URL</abbr> sent in the service= parameter will be checked against <ahref="idpcas.html#configuring_cas_applications"class="wikilink1"title="documentation:2.0:idpcas">known CAS applications</a>, Virtual Hosts, and <ahref="security.html#configure_security_settings"class="wikilink1"title="documentation:2.0:security">trusted domains</a>. Add your target domain to trusted domains if you suddenly start having "Invalid <abbrtitle="Uniform Resource Locator">URL</abbr>" messages on logout</div>
<liclass="level1"><divclass="li"> Improvements in cryptographic functions: to take advantage of them, <strong>you must change the encryption key</strong> of LemonLDAP::NG (see <ahref="cli_examples.html#encryption_key"class="wikilink1"title="documentation:2.0:cli_examples">CLI example</a>).</div>
</li>
<liclass="level1"><divclass="li"> Debian packaging: FastCGI / uWsgi servers require llng-lmlog.conf and llng-lua-headers.conf. Those configuration files are now provided by lemonldap-ng-handler package and installed in /etc/nginx/snippets directory.</div>
As usual, if you use more than 1 server and don't want to stop <abbrtitle="Single Sign On">SSO</abbr> service AND IF YOU HAVE NO INCOMPATIBILITY MENTIONED IN THIS DOCUMENT, upgrade must be done in the following order:
<liclass="level1"><divclass="li"> portal servers <em>(all together if your load balancer is stateless (user or client <abbrtitle="Internet Protocol">IP</abbr>) and if users use the menu)</em>;</div>
<liclass="level1"><divclass="li"><strong>lemonldap-ng.ini</strong> requires some new fields in portal section. Update yours using the one given installed by default. New requires fields are:</div>
<ul>
<liclass="level2"><divclass="li"><strong>staticPrefix</strong><em>(manager and portal)</em>: the path to static content</div>
</li>
<liclass="level2"><divclass="li"><strong>templateDir</strong><em>(manager and portal)</em>: the path to templates directory</div>
</li>
<liclass="level2"><divclass="li"><strong>languages</strong><em>(manager and portal)</em>: accepted languages</div>
</li>
</ul>
</li>
<liclass="level1"><divclass="li"> Portal skins are now in <code>/usr/share/lemonldap-ng/portal/templates</code>. See <ahref="portalcustom.html#skin_customization"class="wikilink1"title="documentation:2.0:portalcustom">skin customization</a> to adapt your templates.</div>
<liclass="level1"><divclass="li"> User module in authentication parameters now provides a "Same as authentication" value. You must revalidate it in the manager since all special values must be replaced by this <em>(Multi, Choice, Proxy, Slave, <abbrtitle="Security Assertion Markup Language">SAML</abbr>, OpenID*,...)</em></div>
<liclass="level1"><divclass="li"><strong>"Multi" doesn't exist anymore</strong>: it is replaced by <ahref="authcombination.html"class="wikilink1"title="documentation:2.0:authcombination">Combination</a>, a more powerful module.</div>
<liclass="level1"><divclass="li"> Option <code>trustedProxies</code> was removed, you must now configure your Web Server to manage <code>X-Forwarded-For</code> header, see <ahref="behindproxyminihowto.html"class="wikilink1"title="documentation:2.0:behindproxyminihowto">how to run LL::NG behind a reverse proxy</a>.</div>
</li>
</ul>
<divclass="noteimportant">Apache mod_perl has got lot of troubleshooting problems since 2.4 version <em>(many segfaults,...)</em>, especially when using MPM worker or MPM event. That's why <abbrtitle="LemonLDAP::NG">LL::NG</abbr> doesn't use anymore ModPerl::Registry: all is now handled by FastCGI <em>(portal and manager)</em>, except for Apache2 Handler.
Now portal has the same behavior than handlers: it looks to configuration stored in local cache every 10 minutes. So it has to be reload like every handler.
</p>
<divclass="noteimportant">If you want to use reload mechanism on a portal only host, you must install a handler in Portal host to be able to refresh local cache. Include <code>handler-nginx.conf</code> or <code>handler-apache2.conf</code> for example
Now LDAP connections are kept open to improve performances. To allow that, <abbrtitle="LemonLDAP::NG">LL::NG</abbr> requires an anonymous access to LDAP RootDSE entry to check connection.
<liclass="level1"><divclass="li"> A new <ahref="authkerberos.html"class="wikilink1"title="documentation:2.0:authkerberos">Kerberos</a> authentication backend has been added since 2.0. This module solves many Kerberos integration problems <em>(usage in conjunction with other backends, better error display,…)</em>. However, you can retain the old integration manner <em>(using <ahref="authapache.html"class="wikilink1"title="documentation:2.0:authapache">Apache authentication module</a>)</em>.</div>
</li>
<liclass="level1"><divclass="li"> For <ahref="authssl.html"class="wikilink1"title="documentation:2.0:authssl">SSL</a>, a new <ahref="authssl.html#ssl_by_ajax"class="wikilink1"title="documentation:2.0:authssl">Ajax option</a> can be used in the same idea: so SSL can be used in conjunction with other backends.</div>
<liclass="level1"><divclass="li"><strong>Syslog</strong>: logs are now configured in <code>lemonldap-ng.ini</code> file only. If you use Syslog, you must reconfigure it. See <ahref="logs.html"class="wikilink1"title="documentation:2.0:logs">logs</a> for more.</div>
<liclass="level1"><divclass="li"><strong>Apache2</strong>: Portal doesn't use anymore Apache2 logger. Logs are always written to Apache error.log but Apache "LogLevel" parameter has no more effect on it. Portal is now a FastCGI application and doesn't use anymore ModPerl. See <ahref="logs.html"class="wikilink1"title="documentation:2.0:logs">logs</a> for more.</div>
<liclass="level1"><divclass="li"> If you are running behind a proxy, make sure LemonLDAP::NG can <ahref="behindproxyminihowto.html"class="wikilink1"title="documentation:2.0:behindproxyminihowto">see the original IP address</a> of incoming HTTP connections</div>
<liclass="level1"><divclass="li"><ahref="https://en.wikipedia.org/wiki/Cross-site_request_forgery"class="urlextern"title="https://en.wikipedia.org/wiki/Cross-site_request_forgery"rel="nofollow">CSRF</a> protection <em>(Cross-Site Request Forgery)</em>: a token is build for each form. To disable it, set requireToken to 0 <em>(portal security parameters in the manager)</em></div>
</li>
<liclass="level1"><divclass="li"><ahref="https://en.wikipedia.org/wiki/Content_Security_Policy"class="urlextern"title="https://en.wikipedia.org/wiki/Content_Security_Policy"rel="nofollow">Content-Security-Policy</a> header: portal build dynamically this header. You can modify default values in the manager <em>(Général parameters » Advanced parameters » Security » Content-Security-Policy)</em></div>
<liclass="level2"><divclass="li"><strong>Apache handler</strong> is now Lemonldap::NG::Handler::ApacheMP2 and Menu is now Lemonldap::NG::Handler::ApacheMP2::Menu</div>
<liclass="level2"><divclass="li"> because of an Apache behaviour change, PerlHeaderParserHandler must no more be used with "reload" URLs <em>(replaced by PerlResponseHandler)</em>. Any "reload url" that are inside a protected vhost must be unprotected in vhost rules <em>(protection has to be done by web server configuration)</em>.</div>
<liclass="level1"><divclass="li"><ahref="cda.html"class="wikilink1"title="documentation:2.0:cda">CDA</a>, <ahref="documentation/latest/applications/zimbra.html"class="wikilink1"title="documentation:latest:applications:zimbra">ZimbraPreAuth</a>, <ahref="securetoken.html"class="wikilink1"title="documentation:2.0:securetoken">SecureToken</a> and <ahref="handlerauthbasic.html"class="wikilink1"title="documentation:2.0:handlerauthbasic">AuthBasic</a> are now <ahref="handlerarch.html"class="wikilink1"title="documentation:2.0:handlerarch">Handler Types</a>. So there is no more special file to load: you just have to choose "VirtualHost type" in the manager/VirtualHosts.</div>
<liclass="level1"><divclass="li"><ahref="ssocookie.html"class="wikilink1"title="documentation:2.0:ssocookie">SSOCookie</a>: Since Firefox 60 and Chrome 68, "+2d, +5M, 12h and so on..." cookie expiration time notation is no more supported. CookieExpiration value is a number of seconds until the cookie expires. A zero or negative number will expire the cookie immediately.</div>
<liclass="level1"><divclass="li"> hostname() and remote_ip() are no more provided to avoid some name conflicts <em>(replaced by $ENV{})</em></div>
</li>
<liclass="level1"><divclass="li"><code>$ENV{<cgi_variable>}</code> is now available everywhere: see <ahref="writingrulesand_headers.html"class="wikilink1"title="documentation:2.0:writingrulesand_headers">Writing rules and headers</a></div>
</li>
<liclass="level1"><divclass="li"> some variable names have changed. See <ahref="variables.html"class="wikilink1"title="documentation:2.0:variables">variables</a> document</div>
Before 2.0, an Ajax query launched after session timeout received a 302 code. Now a 401 HTTP code is returned. <code>WWW-Authenticate</code> header contains: <code><abbrtitle="Single Sign On">SSO</abbr><portal-<abbrtitle="Uniform Resource Locator">URL</abbr>></code>
<liclass="level1"><divclass="li"> SOAP server activation is now split in 2 parameters (configuration/sessions). You must set them else SOAP service will be disabled</div>
<liclass="level1"><divclass="li"> Notifications are now REST/JSON by default. You can force old format in the manager. Note that SOAP proxy has changed: <ahref="http://portal/notifications"class="urlextern"title="http://portal/notifications"rel="nofollow">http://portal/notifications</a> now.</div>
<liclass="level1"><divclass="li"> If you use "adminSessions" endpoint with "singleSession*" features, you must upgrade all portals simultaneously</div>
<divclass="noteimportant"><ahref="handlerauthbasic.html"class="wikilink1"title="documentation:2.0:handlerauthbasic">AuthBasic Handler</a> uses now REST services instead of SOAP.
<abbrtitle="Central Authentication Service">CAS</abbr> authentication module no more use perl <abbrtitle="Central Authentication Service">CAS</abbr> client, but our own code. You can now define several <abbrtitle="Central Authentication Service">CAS</abbr> servers in a specific branch in Manager, like you can define several <abbrtitle="Security Assertion Markup Language">SAML</abbr> or OpenID Connect providers.
</p>
<p>
<abbrtitle="Central Authentication Service">CAS</abbr> issuer module has also been improved, you must modify the configuration of <abbrtitle="Central Authentication Service">CAS</abbr> clients to move them from virtual host branch to <abbrtitle="Central Authentication Service">CAS</abbr> client branch.
Portal has now many REST features and includes an <abbrtitle="Application Programming Interface">API</abbr> plugin. See Portal manpages to learn how to write auth modules, issuers or other features.
Requests are independent objects based on Lemonldap::NG::Portal::Main::Request which inherits from Lemonldap::NG::Common::PSGI::Request which inherits from Plack::Request. See manpages for more.
Handler libraries have been totally rewritten. If you've made custom handlers, they must be rewritten, see <ahref="customhandlers.html"class="wikilink1"title="documentation:2.0:customhandlers">customhandlers</a>.
If you used self protected CGI, you also need to rewrite them, see <ahref="selfmadeapplication.html#perl_auto-protected_cgi"class="wikilink1"title="documentation:2.0:selfmadeapplication">documentation</a>.