Merge branch 'v2.0' into 2266
This commit is contained in:
commit
059b2b13f1
61
COPYING
61
COPYING
|
@ -98,7 +98,7 @@ Comment: downloaded from
|
||||||
|
|
||||||
Files: lemonldap-ng-portal/site/htdocs/static/common/modules/GitHub.png
|
Files: lemonldap-ng-portal/site/htdocs/static/common/modules/GitHub.png
|
||||||
Copyright: GitHub
|
Copyright: GitHub
|
||||||
License: MIT
|
License: Expat
|
||||||
Comment: downloaded from
|
Comment: downloaded from
|
||||||
https://commons.wikimedia.org/wiki/File:Octicons-mark-github.svg
|
https://commons.wikimedia.org/wiki/File:Octicons-mark-github.svg
|
||||||
|
|
||||||
|
@ -126,13 +126,13 @@ Comment: This work, "decryptValue.png", is a derivative of
|
||||||
|
|
||||||
Files: lemonldap-ng-portal/site/htdocs/static/common/icons/switchcontext_OFF.png
|
Files: lemonldap-ng-portal/site/htdocs/static/common/icons/switchcontext_OFF.png
|
||||||
Copyright: Christophe Maudoux <chrmdx@gmail.com>
|
Copyright: Christophe Maudoux <chrmdx@gmail.com>
|
||||||
License: CC-4
|
License: CC-BY-4.0
|
||||||
Comment: This work, "switchcontext_OFF.png", is a derivative of
|
Comment: This work, "switchcontext_OFF.png", is a derivative of
|
||||||
"Theater-Masken - Silhouetten und kontur vektoren" by Natasha Sinegina, under CC-BY-4.0.
|
"Theater-Masken - Silhouetten und kontur vektoren" by Natasha Sinegina, under CC-BY-4.0.
|
||||||
|
|
||||||
Files: lemonldap-ng-portal/site/htdocs/static/common/icons/switchcontext_ON.png
|
Files: lemonldap-ng-portal/site/htdocs/static/common/icons/switchcontext_ON.png
|
||||||
Copyright: Christophe Maudoux <chrmdx@gmail.com>
|
Copyright: Christophe Maudoux <chrmdx@gmail.com>
|
||||||
License: CC-4
|
License: CC-BY-4.0
|
||||||
Comment: This work, "switchcontext_ON.png", is a derivative of
|
Comment: This work, "switchcontext_ON.png", is a derivative of
|
||||||
"Theater-Masken - Silhouetten und kontur vektoren" by Natasha Sinegina, under CC-BY-4.0.
|
"Theater-Masken - Silhouetten und kontur vektoren" by Natasha Sinegina, under CC-BY-4.0.
|
||||||
|
|
||||||
|
@ -230,22 +230,17 @@ Copyright: 2014-2015, Google Inc.
|
||||||
License: BSD-3-clause
|
License: BSD-3-clause
|
||||||
|
|
||||||
Files: lemonldap-ng-portal/site/htdocs/static/common/apps/*
|
Files: lemonldap-ng-portal/site/htdocs/static/common/apps/*
|
||||||
doc/pages/documentation/current/icons/*
|
doc/sources/admin/icons/*
|
||||||
Copyright: 2006-2007 Everaldo Coelho, Crystal Project
|
Copyright: 2006-2007 Everaldo Coelho, Crystal Project
|
||||||
License: LGPL-3
|
License: LGPL-3
|
||||||
|
|
||||||
Files: doc/pages/documentation/current/lib/images/*
|
Files: doc/sources/admin/documentation/lasso.png
|
||||||
Copyright: 2004-2012 Andreas Gohr <andi@splitbrain.org>
|
|
||||||
and the DokuWiki Community
|
|
||||||
License: GPL-2
|
|
||||||
|
|
||||||
Files: doc/pages/documentation/current/documentation/lasso*.png
|
|
||||||
Copyright: 2004, Entr'ouvert <https://www.entrouvert.com/>
|
Copyright: 2004, Entr'ouvert <https://www.entrouvert.com/>
|
||||||
2004, Florent Monnier
|
2004, Florent Monnier
|
||||||
License: GPL-2+
|
License: GPL-2+
|
||||||
|
|
||||||
Files: debian/*
|
Files: debian/*
|
||||||
Copyright: 2005-2019, Xavier Guimard <yadd@debian.org>
|
Copyright: 2005-2020, Xavier Guimard <yadd@debian.org>
|
||||||
License: GPL-2+
|
License: GPL-2+
|
||||||
|
|
||||||
License: Apache-2.0
|
License: Apache-2.0
|
||||||
|
@ -728,7 +723,7 @@ License: CC-BY-NC-ND-3.0
|
||||||
title of the Work if supplied; (iii) to the extent reasonably
|
title of the Work if supplied; (iii) to the extent reasonably
|
||||||
practicable, the URI, if any, that Licensor specifies to be associated
|
practicable, the URI, if any, that Licensor specifies to be associated
|
||||||
with the Work, unless such URI does not refer to the copyright notice or
|
with the Work, unless such URI does not refer to the copyright notice or
|
||||||
licensing information for the Work. The credit required by this Section
|
licensing information for the Work. The credit required by this Section
|
||||||
(c) may be implemented in any reasonable manner; provided, however, that
|
(c) may be implemented in any reasonable manner; provided, however, that
|
||||||
in the case of a Collection, at a minimum such credit will appear, if a
|
in the case of a Collection, at a minimum such credit will appear, if a
|
||||||
credit for all contributing authors of Collection appears, then as part
|
credit for all contributing authors of Collection appears, then as part
|
||||||
|
@ -937,27 +932,27 @@ License: CC-BY-4.0
|
||||||
.
|
.
|
||||||
Attribution.
|
Attribution.
|
||||||
.
|
.
|
||||||
If You Share the Licensed Material (including in modified form), You
|
If You Share the Licensed Material (including in modified form), You
|
||||||
must: retain the following if it is supplied by the Licensor with the
|
must: retain the following if it is supplied by the Licensor with the
|
||||||
Licensed Material: identification of the creator(s) of the Licensed
|
Licensed Material: identification of the creator(s) of the Licensed
|
||||||
Material and any others designated to receive attribution, in any
|
Material and any others designated to receive attribution, in any
|
||||||
reasonable manner requested by the Licensor (including by pseudonym if
|
reasonable manner requested by the Licensor (including by pseudonym if
|
||||||
designated); a copyright notice; a notice that refers to this Public
|
designated); a copyright notice; a notice that refers to this Public
|
||||||
License; a notice that refers to the disclaimer of warranties; a URI or
|
License; a notice that refers to the disclaimer of warranties; a URI or
|
||||||
hyperlink to the Licensed Material to the extent reasonably practicable;
|
hyperlink to the Licensed Material to the extent reasonably practicable;
|
||||||
indicate if You modified the Licensed Material and retain an indication
|
indicate if You modified the Licensed Material and retain an indication
|
||||||
of any previous modifications; and indicate the Licensed Material is
|
of any previous modifications; and indicate the Licensed Material is
|
||||||
licensed under this Public License, and include the text of, or the URI
|
licensed under this Public License, and include the text of, or the URI
|
||||||
or hyperlink to, this Public License. You may satisfy the conditions in
|
or hyperlink to, this Public License. You may satisfy the conditions in
|
||||||
Section 3(a)(1) in any reasonable manner based on the medium, means, and
|
Section 3(a)(1) in any reasonable manner based on the medium, means, and
|
||||||
context in which You Share the Licensed Material. For example, it may be
|
context in which You Share the Licensed Material. For example, it may be
|
||||||
reasonable to satisfy the conditions by providing a URI or hyperlink to
|
reasonable to satisfy the conditions by providing a URI or hyperlink to
|
||||||
a resource that includes the required information. If requested by the
|
a resource that includes the required information. If requested by the
|
||||||
Licensor, You must remove any of the information required by Section
|
Licensor, You must remove any of the information required by Section
|
||||||
3(a)(1)(A) to the extent reasonably practicable. If You Share Adapted
|
3(a)(1)(A) to the extent reasonably practicable. If You Share Adapted
|
||||||
Material You produce, the Adapter's License You apply must not prevent
|
Material You produce, the Adapter's License You apply must not prevent
|
||||||
recipients of the Adapted Material from complying with this Public
|
recipients of the Adapted Material from complying with this Public
|
||||||
License.
|
License.
|
||||||
.
|
.
|
||||||
Section 4 – Sui Generis Database Rights.
|
Section 4 – Sui Generis Database Rights.
|
||||||
.
|
.
|
||||||
|
|
15
RELEASE
15
RELEASE
|
@ -23,16 +23,9 @@ Before release
|
||||||
$ ./scripts/download_translations
|
$ ./scripts/download_translations
|
||||||
|
|
||||||
- Update documentation:
|
- Update documentation:
|
||||||
|
$ ./scripts/parameters-for-doc.pl > doc/sources/admin/parameterlist.rst
|
||||||
$ ./scripts/parameters-for-wiki.pl >/tmp/prmlist.txt
|
|
||||||
|
|
||||||
Replace https://lemonldap-ng.org/documentation/X.X/parameterlist by
|
|
||||||
/tmp/prmlist.txt content
|
|
||||||
|
|
||||||
$ make documentation
|
|
||||||
|
|
||||||
- Update changelog:
|
- Update changelog:
|
||||||
|
|
||||||
$ ./scripts/generate-changelog.pl
|
$ ./scripts/generate-changelog.pl
|
||||||
|
|
||||||
This update "changelog" file using GitLab issues (tags Bug, New feature,
|
This update "changelog" file using GitLab issues (tags Bug, New feature,
|
||||||
|
@ -56,10 +49,6 @@ For major release
|
||||||
|
|
||||||
- Go on gitlab and create a new tag: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/tags/new
|
- Go on gitlab and create a new tag: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/tags/new
|
||||||
|
|
||||||
- Change "latest" symlink in dokuwiki
|
|
||||||
|
|
||||||
- Edit scripts/doc.pl in trunk to point on the new documentation path
|
|
||||||
|
|
||||||
Make the distribution
|
Make the distribution
|
||||||
---------------------
|
---------------------
|
||||||
|
|
||||||
|
@ -89,7 +78,6 @@ Packages are in /tmp
|
||||||
Sign packages:
|
Sign packages:
|
||||||
$ dpkg-sig -p --sign builder /tmp/*.deb
|
$ dpkg-sig -p --sign builder /tmp/*.deb
|
||||||
|
|
||||||
|
|
||||||
Upload the distribution
|
Upload the distribution
|
||||||
---------------------
|
---------------------
|
||||||
|
|
||||||
|
@ -125,6 +113,7 @@ Site
|
||||||
|
|
||||||
- Update links on the download page
|
- Update links on the download page
|
||||||
- Close the milestone on Gitlab and create a new one
|
- Close the milestone on Gitlab and create a new one
|
||||||
|
- Update admin documentation and API documentation
|
||||||
|
|
||||||
Spread the word
|
Spread the word
|
||||||
---------------
|
---------------
|
||||||
|
|
|
@ -86,7 +86,7 @@
|
||||||
"authentication" : "Demo",
|
"authentication" : "Demo",
|
||||||
"cfgAuthor" : "The LemonLDAP::NG team",
|
"cfgAuthor" : "The LemonLDAP::NG team",
|
||||||
"cfgNum" : 1,
|
"cfgNum" : 1,
|
||||||
"cfgVersion" : "2.0.8",
|
"cfgVersion" : "2.0.9",
|
||||||
"cookieName" : "lemonldap",
|
"cookieName" : "lemonldap",
|
||||||
"demoExportedVars" : {
|
"demoExportedVars" : {
|
||||||
"cn" : "cn",
|
"cn" : "cn",
|
||||||
|
|
|
@ -26,7 +26,7 @@ server {
|
||||||
# Keep original hostname
|
# Keep original hostname
|
||||||
fastcgi_param HOST $http_host;
|
fastcgi_param HOST $http_host;
|
||||||
# Keep original request (LLNG server will receive /lmauth)
|
# Keep original request (LLNG server will receive /lmauth)
|
||||||
fastcgi_param X_ORIGINAL_URI $request_uri;
|
fastcgi_param X_ORIGINAL_URI $original_uri;
|
||||||
# Improve performances
|
# Improve performances
|
||||||
#fastcgi_buffer_size 32k;
|
#fastcgi_buffer_size 32k;
|
||||||
#fastcgi_buffers 32 32k;
|
#fastcgi_buffers 32 32k;
|
||||||
|
@ -38,7 +38,7 @@ server {
|
||||||
#uwsgi_pass_request_body off;
|
#uwsgi_pass_request_body off;
|
||||||
#uwsgi_param CONTENT_LENGTH "";
|
#uwsgi_param CONTENT_LENGTH "";
|
||||||
#uwsgi_param HOST $http_host;
|
#uwsgi_param HOST $http_host;
|
||||||
#uwsgi_param X_ORIGINAL_URI $request_uri;
|
#uwsgi_param X_ORIGINAL_URI $original_uri;
|
||||||
# Improve performances
|
# Improve performances
|
||||||
#uwsgi_buffer_size 32k;
|
#uwsgi_buffer_size 32k;
|
||||||
#uwsgi_buffers 32 32k;
|
#uwsgi_buffers 32 32k;
|
||||||
|
@ -57,6 +57,7 @@ server {
|
||||||
##################################
|
##################################
|
||||||
# CALLING AUTHENTICATION #
|
# CALLING AUTHENTICATION #
|
||||||
##################################
|
##################################
|
||||||
|
set $original_uri $uri$is_args$args;
|
||||||
auth_request /lmauth;
|
auth_request /lmauth;
|
||||||
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
|
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
|
||||||
auth_request_set $lmremote_custom $upstream_http_lm_remote_custom;
|
auth_request_set $lmremote_custom $upstream_http_lm_remote_custom;
|
||||||
|
|
83
changelog
83
changelog
|
@ -1,3 +1,86 @@
|
||||||
|
lemonldap-ng (2.0.9) stable; urgency=medium
|
||||||
|
|
||||||
|
* Bugs:
|
||||||
|
* #1659: RESTProxy doesn't fully work as a UserDB module
|
||||||
|
* #1980: Refresh my rights causes error 500 with OIDC provider
|
||||||
|
* #2190: 2.0.6 -> 2.0.8 sends "ARRAY (xxxx)" instead of Groups
|
||||||
|
* #2196: Unable do display integer field with other fields in Manager
|
||||||
|
* #2199: StayConnected plugin not working due to error in fingerprint javascript
|
||||||
|
* #2200: Bad default value for portalDisplayOidcConsents
|
||||||
|
* #2211: Setting yubikey verification URL to an empty value does not fallback to Yubikey_Webclient URL
|
||||||
|
* #2212: Captcha or OTT is not renewed if Impersonation process failed
|
||||||
|
* #2215: CheckUser idRule is checked only if session is computed
|
||||||
|
* #2217: Error "Value must be BASE64 encoded" with some specific URL when Handler redirects on portal
|
||||||
|
* #2221: Bad error message when conf backend fails to load
|
||||||
|
* #2222: Errors in lemonldap-ng.ini are not correctly reported
|
||||||
|
* #2223: Misleading error reporting when failing to save conf in lemonldap-ng-cli
|
||||||
|
* #2224: regression in redirection to SAML urls with query string after #2085
|
||||||
|
* #2229: Impersonation plugin: real_hGroup value is overwritten when specified groups are merged
|
||||||
|
* #2230: LLNG 2.0.8 - Error on portal.js with IE 11
|
||||||
|
* #2234: Prevent browser caching in sendJSONresponse
|
||||||
|
* #2237: SAML SP error with auth kerberos
|
||||||
|
* #2250: [CVE-2020-16093] Peer certificate not checked when using LDAPS
|
||||||
|
* #2253: clearing oidcRPMetaDataOptionsLogoutUrl leads to Bad URL error
|
||||||
|
* #2254: Local session cache and systemd PrivateTmp
|
||||||
|
* #2256: Multivalued attributes are not returned as array in OpenID Connect userinfo endpoint
|
||||||
|
* #2257: Missing country in OpenID Connect Address Claim
|
||||||
|
* #2258: Error when using lougout_app_sso
|
||||||
|
* #2261: Refresh my rights fails when Auth=SAML and UserDB=LDAP
|
||||||
|
* #2263: Incorrect SOAP Content-Type
|
||||||
|
* #2271: Labels are not working in auth form
|
||||||
|
* #2272: Secure flag missing on lemonldappdata cookie and during logout
|
||||||
|
* #2274: pdata cookie with SameSite value not equal to NONE is not removed and logout request leads to an internal server error with federate flow on SP side
|
||||||
|
* #2275: sgRequired option does not work when global storage is enabled for token
|
||||||
|
* #2287: LL:NG-provided lua-header snippet -> "writing a global lua variable ('i') which may lead to race conditions between concurrent requests"
|
||||||
|
* #2288: LL:NG 2.0.8 manager missing doc-referenced "Login History" tab
|
||||||
|
* #2289: Special chars password policy is not displayed if password is expired
|
||||||
|
* #2290: [security:high, CVE-2020-24660] Lack of URL normalization by Nginx may lead to authorization bypass when URL access rules are used
|
||||||
|
* #2296: skippedGlobalTests / skippedUnitTests have no effect (again)
|
||||||
|
* #2305: Error in call to _launch in Lemonldap::NG::Common::Conf delete() method
|
||||||
|
* #2306: ldapGroupDecodeSearchedValue does not apply to recursive group search
|
||||||
|
* #2307: Password form not displayed when "password change after reset" is returned by LDAP ppolicy and Combination used for authentication
|
||||||
|
|
||||||
|
* New features:
|
||||||
|
* #1646: integrate documentation into the codebase
|
||||||
|
* #2124: use 2FA only if and when needed
|
||||||
|
* #2205: Add a session command line (CLI) tool
|
||||||
|
|
||||||
|
* Improvements:
|
||||||
|
* #1598: Proxy Backend support for Password Module (passwordDB)
|
||||||
|
* #2188: Declare vhost with wildcard and prefix/suffix
|
||||||
|
* #2189: Make externally-provisionned yubikeys easier to configure
|
||||||
|
* #2193: Polish translation
|
||||||
|
* #2195: Manager - Configuration's Author IP address field should honor $ipAddr
|
||||||
|
* #2201: Avoid Portal to crash with bad GrantSession rule
|
||||||
|
* #2203: Retrieve GPG keys and SSH keys in GitHub authentication module
|
||||||
|
* #2207: Append an "Unrestricted users" rule to CheckUser, ContextSwitching and Impersonation plugins
|
||||||
|
* #2214: add option to make convertConfig easier in most cases
|
||||||
|
* #2225: REST ression server is too intolerant of clock drift (2)
|
||||||
|
* #2233: Error/Warnings id not replaced with CLI
|
||||||
|
* #2239: Mail reset token should not be deleted at first page access
|
||||||
|
* #2240: Add tests for CAS service URL and OIDC client ID (presence/unicity) when configuration is saved
|
||||||
|
* #2241: Add CAS App management to the manager API
|
||||||
|
* #2242: Display new supported grant_types in OIDC discovery page
|
||||||
|
* #2244: Use configuration key in user log messages for all Issuer modules
|
||||||
|
* #2249: Check password policy on the client side when changing password
|
||||||
|
* #2251: Add a parameter for Syslog options
|
||||||
|
* #2252: No host in logs to use with Fail2ban
|
||||||
|
* #2265: increase log level for mail sending and password reset
|
||||||
|
* #2273: URL is not set to Portal URL after ContextSwitching
|
||||||
|
* #2276: Using bruteForceProtectionIncrementalTempo lock user at first attempt
|
||||||
|
* #2278: Display instance name when prompting a message
|
||||||
|
* #2280: User attribute based on local macro in Openid rp
|
||||||
|
* #2281: Manage SameSite default behavior
|
||||||
|
* #2283: Improve Notifications explorer to display done notifications content
|
||||||
|
* #2284: Improve serviceToken debug logs
|
||||||
|
* #2292: request "do not minify" json config option
|
||||||
|
* #2295: Erroneous use of NTLM should be explicitely reported to the user
|
||||||
|
* #2299: healthcheck endpoint for manager API
|
||||||
|
* #2302: correct usage of invalid vs unvalid in code & messaging
|
||||||
|
* #2303: Add del method to lemonldap-ng-cli
|
||||||
|
|
||||||
|
-- Clément <clem.oudot@gmail.com> Sun, 06 Sep 2020 19:59:22 +0200
|
||||||
|
|
||||||
lemonldap-ng (2.0.8) stable; urgency=medium
|
lemonldap-ng (2.0.8) stable; urgency=medium
|
||||||
|
|
||||||
* Bugs:
|
* Bugs:
|
||||||
|
|
15
debian/NEWS
vendored
15
debian/NEWS
vendored
|
@ -1,3 +1,18 @@
|
||||||
|
lemonldap-ng (2.0.9-1) unstable; urgency=medium
|
||||||
|
|
||||||
|
This release fixes 2 CVE:
|
||||||
|
- CVE-2020-24660: Nginx configuration for Handler protected applications
|
||||||
|
must be updated if your virtual host configuration contains per-URL access
|
||||||
|
rules based on regular expressions in addition to the built-in default access rule.
|
||||||
|
- CVE-2020-16093: LDAP server certificates were previously not verified by default
|
||||||
|
when using secure transports (LDAPS or TLS). Starting from this release, certificate
|
||||||
|
validation is now enabled by default, including on existing installations. If
|
||||||
|
your SSL configuration is not valid, you can temporarily disable certificate
|
||||||
|
verification.
|
||||||
|
See upgrade notes in local documentation or on https://lemonldap-ng.org
|
||||||
|
|
||||||
|
-- Clement OUDOT <clement@oodo.net> Sun, 06 Sep 2020 22:00:00 +0100
|
||||||
|
|
||||||
lemonldap-ng (2.0.6-1) unstable; urgency=medium
|
lemonldap-ng (2.0.6-1) unstable; urgency=medium
|
||||||
|
|
||||||
FastCGI / uWsgi servers require llng-lmlog.conf and llng-lua-headers.conf.
|
FastCGI / uWsgi servers require llng-lmlog.conf and llng-lua-headers.conf.
|
||||||
|
|
7
debian/changelog
vendored
7
debian/changelog
vendored
|
@ -1,3 +1,10 @@
|
||||||
|
lemonldap-ng (2.0.9-1) unstable; urgency=medium
|
||||||
|
|
||||||
|
* New release. See changes on our website:
|
||||||
|
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng
|
||||||
|
|
||||||
|
-- Clement OUDOT <clement@oodo.net> Sun, 06 Sep 2020 22:00:00 +0100
|
||||||
|
|
||||||
lemonldap-ng (2.0.8-1) unstable; urgency=medium
|
lemonldap-ng (2.0.8-1) unstable; urgency=medium
|
||||||
|
|
||||||
* New release. See changes on our website:
|
* New release. See changes on our website:
|
||||||
|
|
110
debian/copyright
vendored
110
debian/copyright
vendored
|
@ -4,18 +4,22 @@ Upstream-Contact: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues
|
||||||
Source: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/tags?sort=updated_desc
|
Source: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/tags?sort=updated_desc
|
||||||
|
|
||||||
Files: *
|
Files: *
|
||||||
Copyright: 2005-2019, Xavier Guimard <yadd@debian.org>
|
Copyright: 2005-2020, Xavier Guimard <yadd@debian.org>
|
||||||
2006-2019, Clement Oudot <clem.oudot@gmail.com>
|
2006-2020, Clement Oudot <clem.oudot@gmail.com>
|
||||||
2008, Mikael Ates <mikael.ates@univ-st-etienne.fr>
|
2008, Mikael Ates <mikael.ates@univ-st-etienne.fr>
|
||||||
2008-2011, Thomas Chemineau <thomas.chemineau@gmail.com>
|
2008-2011, Thomas Chemineau <thomas.chemineau@gmail.com>
|
||||||
2012-2013, Sandro Cazzaniga <cazzaniga.sandro@gmail.com>
|
2012-2013, Sandro Cazzaniga <cazzaniga.sandro@gmail.com>
|
||||||
2012-2015, François-Xavier Deltombe <fxdeltombe@gmail.com>
|
2012-2015, François-Xavier Deltombe <fxdeltombe@gmail.com>
|
||||||
2012-2015, David Coutadeur <david.coutadeur@gmail.com>
|
2012-2019, David Coutadeur <david.coutadeur@gmail.com>
|
||||||
2018-2019, Christophe Maudoux <chrmdx@gmail.com>
|
2018-2020, Christophe Maudoux <chrmdx@gmail.com>
|
||||||
2005-2019, Gendarmerie nationale <https://www.gendarmerie.interieur.gouv.fr>
|
2019-2020, Maxime Besson <maxime.besson@worteks.com>
|
||||||
2006-2015, LINAGORA <info@linagora.com>
|
2019, Soisik Frogier <soisik.froger@worteks.com>
|
||||||
|
2019, Mame Dieynaba Sene <msene@linagora.com>
|
||||||
|
2019, Antoine Rosier <lemonldap@mon-refuge.fr>
|
||||||
|
2005-2020, Gendarmerie nationale <https://www.gendarmerie.interieur.gouv.fr>
|
||||||
|
2006-2019, LINAGORA <info@linagora.com>
|
||||||
2015-2018, Savoir-faire Linux <contact@savoirfairelinux.com>
|
2015-2018, Savoir-faire Linux <contact@savoirfairelinux.com>
|
||||||
2018-2019, Worteks <info@worteks.com>
|
2018-2020, Worteks <info@worteks.com>
|
||||||
License: GPL-2+
|
License: GPL-2+
|
||||||
|
|
||||||
Files: lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/PAM.pm
|
Files: lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/PAM.pm
|
||||||
|
@ -67,6 +71,10 @@ Copyright: https://www.customicondesign.com
|
||||||
License: CC-BY-NC-ND-3.0
|
License: CC-BY-NC-ND-3.0
|
||||||
Comment: Downloaded from https://www.iconspedia.com/
|
Comment: Downloaded from https://www.iconspedia.com/
|
||||||
|
|
||||||
|
Files: lemonldap-ng-portal/site/htdocs/static/common/modules/Slave.png
|
||||||
|
Copyright: Antoine Rosier <antoine.rosier@mon-refuge.fr>
|
||||||
|
License: CC-3
|
||||||
|
|
||||||
Files: lemonldap-ng-portal/site/htdocs/static/common/modules/Twitter.png
|
Files: lemonldap-ng-portal/site/htdocs/static/common/modules/Twitter.png
|
||||||
Copyright: Paul Schulerr, https://schulerr.deviantart.com
|
Copyright: Paul Schulerr, https://schulerr.deviantart.com
|
||||||
License: CC-3
|
License: CC-3
|
||||||
|
@ -88,6 +96,12 @@ Comment: downloaded from
|
||||||
.
|
.
|
||||||
Author is unknown and license may be W3C or public-domain
|
Author is unknown and license may be W3C or public-domain
|
||||||
|
|
||||||
|
Files: lemonldap-ng-portal/site/htdocs/static/common/modules/GitHub.png
|
||||||
|
Copyright: GitHub
|
||||||
|
License: Expat
|
||||||
|
Comment: downloaded from
|
||||||
|
https://commons.wikimedia.org/wiki/File:Octicons-mark-github.svg
|
||||||
|
|
||||||
Files: lemonldap-ng-portal/site/htdocs/static/bootstrap/u2f.png
|
Files: lemonldap-ng-portal/site/htdocs/static/bootstrap/u2f.png
|
||||||
Copyright: Bautsch <https://commons.wikimedia.org/wiki/User:Bautsch>
|
Copyright: Bautsch <https://commons.wikimedia.org/wiki/User:Bautsch>
|
||||||
License: CC0-1.0
|
License: CC0-1.0
|
||||||
|
@ -99,12 +113,39 @@ License: CC-3
|
||||||
Comment: This work, "sfa_manager.png", is a derivative of
|
Comment: This work, "sfa_manager.png", is a derivative of
|
||||||
"Noun project 1162.svg" by Christopher T. Howlett, under CC-BY-3.0.
|
"Noun project 1162.svg" by Christopher T. Howlett, under CC-BY-3.0.
|
||||||
|
|
||||||
|
Files: lemonldap-ng-portal/site/htdocs/static/common/icons/notifsExplorer.png
|
||||||
|
Copyright: Various artists
|
||||||
|
License: CC-BY-NC-ND-3.0 or GFDL-1.3
|
||||||
|
Comment: downloaded from https://commons.wikimedia.org
|
||||||
|
|
||||||
|
Files: lemonldap-ng-portal/site/htdocs/static/common/icons/decryptValue.png
|
||||||
|
Copyright: Christophe Maudoux <chrmdx@gmail.com>
|
||||||
|
License: CC-3
|
||||||
|
Comment: This work, "decryptValue.png", is a derivative of
|
||||||
|
"secure.png" by Austin Condiff, under CC-BY-3.0.
|
||||||
|
|
||||||
|
Files: lemonldap-ng-portal/site/htdocs/static/common/icons/switchcontext_OFF.png
|
||||||
|
Copyright: Christophe Maudoux <chrmdx@gmail.com>
|
||||||
|
License: CC-BY-4.0
|
||||||
|
Comment: This work, "switchcontext_OFF.png", is a derivative of
|
||||||
|
"Theater-Masken - Silhouetten und kontur vektoren" by Natasha Sinegina, under CC-BY-4.0.
|
||||||
|
|
||||||
|
Files: lemonldap-ng-portal/site/htdocs/static/common/icons/switchcontext_ON.png
|
||||||
|
Copyright: Christophe Maudoux <chrmdx@gmail.com>
|
||||||
|
License: CC-BY-4.0
|
||||||
|
Comment: This work, "switchcontext_ON.png", is a derivative of
|
||||||
|
"Theater-Masken - Silhouetten und kontur vektoren" by Natasha Sinegina, under CC-BY-4.0.
|
||||||
|
|
||||||
Files: lemonldap-ng-portal/site/htdocs/static/common/modules/CustomAuth.png
|
Files: lemonldap-ng-portal/site/htdocs/static/common/modules/CustomAuth.png
|
||||||
Copyright: Christophe Maudoux <chrmdx@gmail.com>
|
Copyright: Christophe Maudoux <chrmdx@gmail.com>
|
||||||
License: CC-3
|
License: CC-3
|
||||||
Comment: This work, "CustomAuth.png", is a derivative of
|
Comment: This work, "CustomAuth.png", is a derivative of
|
||||||
"Noun project 1162.svg" by Christopher T. Howlett, under CC-BY-3.0.
|
"Noun project 1162.svg" by Christopher T. Howlett, under CC-BY-3.0.
|
||||||
|
|
||||||
|
Files: lemonldap-ng-portal/site/htdocs/static/common/fonts/password.ttf
|
||||||
|
Copyright: 2007, the Tap2Play Team, https://git.tap2play.org.au/tap2play/web/tree/dev/fonts
|
||||||
|
License: Expat
|
||||||
|
|
||||||
Files: lemonldap-ng-portal/site/htdocs/static/common/backgrounds/*
|
Files: lemonldap-ng-portal/site/htdocs/static/common/backgrounds/*
|
||||||
Copyright: Various artists
|
Copyright: Various artists
|
||||||
License: CC-BY-NC-ND-3.0 or GFDL-1.3
|
License: CC-BY-NC-ND-3.0 or GFDL-1.3
|
||||||
|
@ -189,22 +230,17 @@ Copyright: 2014-2015, Google Inc.
|
||||||
License: BSD-3-clause
|
License: BSD-3-clause
|
||||||
|
|
||||||
Files: lemonldap-ng-portal/site/htdocs/static/common/apps/*
|
Files: lemonldap-ng-portal/site/htdocs/static/common/apps/*
|
||||||
doc/pages/documentation/current/icons/*
|
doc/sources/admin/icons/*
|
||||||
Copyright: 2006-2007 Everaldo Coelho, Crystal Project
|
Copyright: 2006-2007 Everaldo Coelho, Crystal Project
|
||||||
License: LGPL-3
|
License: LGPL-3
|
||||||
|
|
||||||
Files: doc/pages/documentation/current/lib/images/*
|
Files: doc/sources/admin/documentation/lasso.png
|
||||||
Copyright: 2004-2012 Andreas Gohr <andi@splitbrain.org>
|
|
||||||
and the DokuWiki Community
|
|
||||||
License: GPL-2
|
|
||||||
|
|
||||||
Files: doc/pages/documentation/current/documentation/lasso*.png
|
|
||||||
Copyright: 2004, Entr'ouvert <https://www.entrouvert.com/>
|
Copyright: 2004, Entr'ouvert <https://www.entrouvert.com/>
|
||||||
2004, Florent Monnier
|
2004, Florent Monnier
|
||||||
License: GPL-2+
|
License: GPL-2+
|
||||||
|
|
||||||
Files: debian/*
|
Files: debian/*
|
||||||
Copyright: 2005-2019, Xavier Guimard <yadd@debian.org>
|
Copyright: 2005-2020, Xavier Guimard <yadd@debian.org>
|
||||||
License: GPL-2+
|
License: GPL-2+
|
||||||
|
|
||||||
License: Apache-2.0
|
License: Apache-2.0
|
||||||
|
@ -690,7 +726,7 @@ License: CC-BY-NC-ND-3.0
|
||||||
title of the Work if supplied; (iii) to the extent reasonably
|
title of the Work if supplied; (iii) to the extent reasonably
|
||||||
practicable, the URI, if any, that Licensor specifies to be associated
|
practicable, the URI, if any, that Licensor specifies to be associated
|
||||||
with the Work, unless such URI does not refer to the copyright notice or
|
with the Work, unless such URI does not refer to the copyright notice or
|
||||||
licensing information for the Work. The credit required by this Section
|
licensing information for the Work. The credit required by this Section
|
||||||
(c) may be implemented in any reasonable manner; provided, however, that
|
(c) may be implemented in any reasonable manner; provided, however, that
|
||||||
in the case of a Collection, at a minimum such credit will appear, if a
|
in the case of a Collection, at a minimum such credit will appear, if a
|
||||||
credit for all contributing authors of Collection appears, then as part
|
credit for all contributing authors of Collection appears, then as part
|
||||||
|
@ -899,27 +935,27 @@ License: CC-BY-4.0
|
||||||
.
|
.
|
||||||
Attribution.
|
Attribution.
|
||||||
.
|
.
|
||||||
If You Share the Licensed Material (including in modified form), You
|
If You Share the Licensed Material (including in modified form), You
|
||||||
must: retain the following if it is supplied by the Licensor with the
|
must: retain the following if it is supplied by the Licensor with the
|
||||||
Licensed Material: identification of the creator(s) of the Licensed
|
Licensed Material: identification of the creator(s) of the Licensed
|
||||||
Material and any others designated to receive attribution, in any
|
Material and any others designated to receive attribution, in any
|
||||||
reasonable manner requested by the Licensor (including by pseudonym if
|
reasonable manner requested by the Licensor (including by pseudonym if
|
||||||
designated); a copyright notice; a notice that refers to this Public
|
designated); a copyright notice; a notice that refers to this Public
|
||||||
License; a notice that refers to the disclaimer of warranties; a URI or
|
License; a notice that refers to the disclaimer of warranties; a URI or
|
||||||
hyperlink to the Licensed Material to the extent reasonably practicable;
|
hyperlink to the Licensed Material to the extent reasonably practicable;
|
||||||
indicate if You modified the Licensed Material and retain an indication
|
indicate if You modified the Licensed Material and retain an indication
|
||||||
of any previous modifications; and indicate the Licensed Material is
|
of any previous modifications; and indicate the Licensed Material is
|
||||||
licensed under this Public License, and include the text of, or the URI
|
licensed under this Public License, and include the text of, or the URI
|
||||||
or hyperlink to, this Public License. You may satisfy the conditions in
|
or hyperlink to, this Public License. You may satisfy the conditions in
|
||||||
Section 3(a)(1) in any reasonable manner based on the medium, means, and
|
Section 3(a)(1) in any reasonable manner based on the medium, means, and
|
||||||
context in which You Share the Licensed Material. For example, it may be
|
context in which You Share the Licensed Material. For example, it may be
|
||||||
reasonable to satisfy the conditions by providing a URI or hyperlink to
|
reasonable to satisfy the conditions by providing a URI or hyperlink to
|
||||||
a resource that includes the required information. If requested by the
|
a resource that includes the required information. If requested by the
|
||||||
Licensor, You must remove any of the information required by Section
|
Licensor, You must remove any of the information required by Section
|
||||||
3(a)(1)(A) to the extent reasonably practicable. If You Share Adapted
|
3(a)(1)(A) to the extent reasonably practicable. If You Share Adapted
|
||||||
Material You produce, the Adapter's License You apply must not prevent
|
Material You produce, the Adapter's License You apply must not prevent
|
||||||
recipients of the Adapted Material from complying with this Public
|
recipients of the Adapted Material from complying with this Public
|
||||||
License.
|
License.
|
||||||
.
|
.
|
||||||
Section 4 – Sui Generis Database Rights.
|
Section 4 – Sui Generis Database Rights.
|
||||||
.
|
.
|
||||||
|
|
|
@ -868,6 +868,9 @@
|
||||||
"allowOffline" : {
|
"allowOffline" : {
|
||||||
"type" : "boolean"
|
"type" : "boolean"
|
||||||
},
|
},
|
||||||
|
"authnLevel" : {
|
||||||
|
"type" : "integer"
|
||||||
|
},
|
||||||
"rule" : {
|
"rule" : {
|
||||||
"type" : "string"
|
"type" : "string"
|
||||||
},
|
},
|
||||||
|
@ -1057,6 +1060,9 @@
|
||||||
"type" : "integer",
|
"type" : "integer",
|
||||||
"default" : 72000
|
"default" : 72000
|
||||||
},
|
},
|
||||||
|
"authnLevel" : {
|
||||||
|
"type" : "integer"
|
||||||
|
},
|
||||||
"rule" : {
|
"rule" : {
|
||||||
"type" : "string"
|
"type" : "string"
|
||||||
},
|
},
|
||||||
|
|
|
@ -70,12 +70,13 @@ Configure Bugzilla virtual host like other
|
||||||
# Keep original hostname
|
# Keep original hostname
|
||||||
fastcgi_param HOST $http_host;
|
fastcgi_param HOST $http_host;
|
||||||
# Keep original request (LLNG server will received /llauth)
|
# Keep original request (LLNG server will received /llauth)
|
||||||
fastcgi_param X_ORIGINAL_URI $request_uri;
|
fastcgi_param X_ORIGINAL_URI $original_uri;
|
||||||
}
|
}
|
||||||
|
|
||||||
# Client requests
|
# Client requests
|
||||||
location / {
|
location / {
|
||||||
auth_request /lmauth;
|
auth_request /lmauth;
|
||||||
|
set $original_uri $uri$is_args$args;
|
||||||
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
|
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
|
||||||
auth_request_set $lmlocation $upstream_http_location;
|
auth_request_set $lmlocation $upstream_http_location;
|
||||||
error_page 401 $lmlocation;
|
error_page 401 $lmlocation;
|
||||||
|
|
|
@ -75,12 +75,13 @@ Configure Dokuwiki virtual host like other
|
||||||
# Keep original hostname
|
# Keep original hostname
|
||||||
fastcgi_param HOST $http_host;
|
fastcgi_param HOST $http_host;
|
||||||
# Keep original request (LLNG server will received /llauth)
|
# Keep original request (LLNG server will received /llauth)
|
||||||
fastcgi_param X_ORIGINAL_URI $request_uri;
|
fastcgi_param X_ORIGINAL_URI $original_uri;
|
||||||
}
|
}
|
||||||
|
|
||||||
# Client requests
|
# Client requests
|
||||||
location / {
|
location / {
|
||||||
auth_request /lmauth;
|
auth_request /lmauth;
|
||||||
|
set $original_uri $uri$is_args$args;
|
||||||
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
|
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
|
||||||
auth_request_set $lmlocation $upstream_http_location;
|
auth_request_set $lmlocation $upstream_http_location;
|
||||||
error_page 401 $lmlocation;
|
error_page 401 $lmlocation;
|
||||||
|
|
|
@ -72,12 +72,13 @@ Configure Drupal virtual host like other
|
||||||
# Keep original hostname
|
# Keep original hostname
|
||||||
fastcgi_param HOST $http_host;
|
fastcgi_param HOST $http_host;
|
||||||
# Keep original request (LLNG server will received /llauth)
|
# Keep original request (LLNG server will received /llauth)
|
||||||
fastcgi_param X_ORIGINAL_URI $request_uri;
|
fastcgi_param X_ORIGINAL_URI $original_uri;
|
||||||
}
|
}
|
||||||
|
|
||||||
# Client requests
|
# Client requests
|
||||||
location / {
|
location / {
|
||||||
auth_request /lmauth;
|
auth_request /lmauth;
|
||||||
|
set $original_uri $uri$is_args$args;
|
||||||
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
|
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
|
||||||
auth_request_set $lmlocation $upstream_http_location;
|
auth_request_set $lmlocation $upstream_http_location;
|
||||||
error_page 401 $lmlocation;
|
error_page 401 $lmlocation;
|
||||||
|
|
|
@ -69,7 +69,7 @@ configuration file:
|
||||||
fastcgi_pass_request_body off;
|
fastcgi_pass_request_body off;
|
||||||
fastcgi_param CONTENT_LENGTH "";
|
fastcgi_param CONTENT_LENGTH "";
|
||||||
fastcgi_param HOST $http_host;
|
fastcgi_param HOST $http_host;
|
||||||
fastcgi_param X_ORIGINAL_URI $request_uri;
|
fastcgi_param X_ORIGINAL_URI $original_uri;
|
||||||
}
|
}
|
||||||
|
|
||||||
# Protect only the /login/ URL
|
# Protect only the /login/ URL
|
||||||
|
@ -78,6 +78,7 @@ configuration file:
|
||||||
|
|
||||||
# Protect the current path with LLNG
|
# Protect the current path with LLNG
|
||||||
auth_request /lmauth;
|
auth_request /lmauth;
|
||||||
|
set $original_uri $uri$is_args$args;
|
||||||
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
|
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
|
||||||
auth_request_set $lmlocation $upstream_http_location;
|
auth_request_set $lmlocation $upstream_http_location;
|
||||||
error_page 401 $lmlocation;
|
error_page 401 $lmlocation;
|
||||||
|
|
|
@ -130,12 +130,13 @@ Configure Liferay virtual host like other
|
||||||
# Keep original hostname
|
# Keep original hostname
|
||||||
fastcgi_param HOST $http_host;
|
fastcgi_param HOST $http_host;
|
||||||
# Keep original request (LLNG server will received /llauth)
|
# Keep original request (LLNG server will received /llauth)
|
||||||
fastcgi_param X_ORIGINAL_URI $request_uri;
|
fastcgi_param X_ORIGINAL_URI $original_uri;
|
||||||
}
|
}
|
||||||
|
|
||||||
# Client requests
|
# Client requests
|
||||||
location / {
|
location / {
|
||||||
auth_request /lmauth;
|
auth_request /lmauth;
|
||||||
|
set $original_uri $uri$is_args$args;
|
||||||
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
|
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
|
||||||
auth_request_set $lmlocation $upstream_http_location;
|
auth_request_set $lmlocation $upstream_http_location;
|
||||||
error_page 401 $lmlocation;
|
error_page 401 $lmlocation;
|
||||||
|
|
|
@ -159,12 +159,13 @@ Configure MediaWiki virtual host like other
|
||||||
# Keep original hostname
|
# Keep original hostname
|
||||||
fastcgi_param HOST $http_host;
|
fastcgi_param HOST $http_host;
|
||||||
# Keep original request (LLNG server will received /llauth)
|
# Keep original request (LLNG server will received /llauth)
|
||||||
fastcgi_param X_ORIGINAL_URI $request_uri;
|
fastcgi_param X_ORIGINAL_URI $original_uri;
|
||||||
}
|
}
|
||||||
|
|
||||||
# Client requests
|
# Client requests
|
||||||
location / {
|
location / {
|
||||||
auth_request /lmauth;
|
auth_request /lmauth;
|
||||||
|
set $original_uri $uri$is_args$args;
|
||||||
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
|
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
|
||||||
auth_request_set $lmlocation $upstream_http_location;
|
auth_request_set $lmlocation $upstream_http_location;
|
||||||
error_page 401 $lmlocation;
|
error_page 401 $lmlocation;
|
||||||
|
|
|
@ -152,12 +152,13 @@ Edit also OBM configuration to enable LL::NG Handler:
|
||||||
# Keep original hostname
|
# Keep original hostname
|
||||||
fastcgi_param HOST $http_host;
|
fastcgi_param HOST $http_host;
|
||||||
# Keep original request (LLNG server will received /llauth)
|
# Keep original request (LLNG server will received /llauth)
|
||||||
fastcgi_param X_ORIGINAL_URI $request_uri;
|
fastcgi_param X_ORIGINAL_URI $original_uri;
|
||||||
}
|
}
|
||||||
|
|
||||||
# Client requests
|
# Client requests
|
||||||
location ~ \.php$ {
|
location ~ \.php$ {
|
||||||
auth_request /lmauth;
|
auth_request /lmauth;
|
||||||
|
set $original_uri $uri$is_args$args;
|
||||||
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
|
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
|
||||||
auth_request_set $lmlocation $upstream_http_location;
|
auth_request_set $lmlocation $upstream_http_location;
|
||||||
error_page 401 $lmlocation;
|
error_page 401 $lmlocation;
|
||||||
|
|
|
@ -74,12 +74,13 @@ Configure phpLDAPadmin virtual host like other
|
||||||
# Keep original hostname
|
# Keep original hostname
|
||||||
fastcgi_param HOST $http_host;
|
fastcgi_param HOST $http_host;
|
||||||
# Keep original request (LLNG server will received /llauth)
|
# Keep original request (LLNG server will received /llauth)
|
||||||
fastcgi_param X_ORIGINAL_URI $request_uri;
|
fastcgi_param X_ORIGINAL_URI $original_uri;
|
||||||
}
|
}
|
||||||
|
|
||||||
# Client requests
|
# Client requests
|
||||||
location / {
|
location / {
|
||||||
auth_request /lmauth;
|
auth_request /lmauth;
|
||||||
|
set $original_uri $uri$is_args$args;
|
||||||
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
|
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
|
||||||
auth_request_set $lmlocation $upstream_http_location;
|
auth_request_set $lmlocation $upstream_http_location;
|
||||||
error_page 401 $lmlocation;
|
error_page 401 $lmlocation;
|
||||||
|
|
|
@ -102,12 +102,13 @@ authentication URL.
|
||||||
# Keep original hostname
|
# Keep original hostname
|
||||||
fastcgi_param HOST $http_host;
|
fastcgi_param HOST $http_host;
|
||||||
# Keep original request (LLNG server will received /llauth)
|
# Keep original request (LLNG server will received /llauth)
|
||||||
fastcgi_param X_ORIGINAL_URI $request_uri;
|
fastcgi_param X_ORIGINAL_URI $original_uri;
|
||||||
}
|
}
|
||||||
|
|
||||||
# Client requests
|
# Client requests
|
||||||
location /wws/sso_login/lemonldapng {
|
location /wws/sso_login/lemonldapng {
|
||||||
auth_request /lmauth;
|
auth_request /lmauth;
|
||||||
|
set $original_uri $uri$is_args$args;
|
||||||
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
|
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
|
||||||
auth_request_set $lmlocation $upstream_http_location;
|
auth_request_set $lmlocation $upstream_http_location;
|
||||||
error_page 401 $lmlocation;
|
error_page 401 $lmlocation;
|
||||||
|
|
|
@ -82,8 +82,11 @@ Connection
|
||||||
``ldap+tls://server/verify=none&capath=/etc/ssl``. You can
|
``ldap+tls://server/verify=none&capath=/etc/ssl``. You can
|
||||||
also use cafile and capath parameters.
|
also use cafile and capath parameters.
|
||||||
|
|
||||||
- **Server port**: TCP port used by LDAP server. Can be overridden by
|
- **Server port**: TCP port used by LDAP server if different from the standard
|
||||||
an LDAP URI in server host.
|
ports. Can also be specified in the server host URI.
|
||||||
|
- **Verify LDAP server certificate**: It is highly recommended to verify the
|
||||||
|
identity of the remote server. This setting is only enforced for LDAPS or
|
||||||
|
TLS connections.
|
||||||
- **Users search base**: Base of search in the LDAP directory.
|
- **Users search base**: Base of search in the LDAP directory.
|
||||||
- **Account**: DN used to connect to LDAP server. By default, anonymous
|
- **Account**: DN used to connect to LDAP server. By default, anonymous
|
||||||
bind is used.
|
bind is used.
|
||||||
|
@ -95,6 +98,12 @@ Connection
|
||||||
(see
|
(see
|
||||||
`Net::LDAP <http://search.cpan.org/~gbarr/perl-ldap/lib/Net/LDAP.pod>`__
|
`Net::LDAP <http://search.cpan.org/~gbarr/perl-ldap/lib/Net/LDAP.pod>`__
|
||||||
documentation).
|
documentation).
|
||||||
|
- **CA file path**: This allows you to override the default system-wide
|
||||||
|
certificate authorities by giving a single file containing the CA used by the
|
||||||
|
LDAP server.
|
||||||
|
- **CA directory path**: This allows you to override the default system-wide
|
||||||
|
certificate authorities by giving the path of a directory containing your
|
||||||
|
trusted certificates.
|
||||||
|
|
||||||
|
|
||||||
.. attention::
|
.. attention::
|
||||||
|
|
|
@ -198,6 +198,9 @@ Name Comment Default value
|
||||||
**ldapAttributeId** Attribute storing session ID cn
|
**ldapAttributeId** Attribute storing session ID cn
|
||||||
**ldapAttributeContent** Attribute storing session content description
|
**ldapAttributeContent** Attribute storing session content description
|
||||||
**ldapAttributeIndex** Attribute storing index ou
|
**ldapAttributeIndex** Attribute storing index ou
|
||||||
|
**ldapVerify** Perform certificate validation require (use none to disable)
|
||||||
|
**ldapCAFile** Path of CA file bundle (system CA bundle)
|
||||||
|
**ldapCAPath** Perform CA directory (system CA bundle)
|
||||||
======================== ================================= ===============================
|
======================== ================================= ===============================
|
||||||
|
|
||||||
Security
|
Security
|
||||||
|
|
|
@ -483,12 +483,13 @@ included file):
|
||||||
fastcgi_pass_request_body off;
|
fastcgi_pass_request_body off;
|
||||||
fastcgi_param CONTENT_LENGTH "";
|
fastcgi_param CONTENT_LENGTH "";
|
||||||
fastcgi_param HOST $http_host;
|
fastcgi_param HOST $http_host;
|
||||||
fastcgi_param X_ORIGINAL_URI $request_uri;
|
fastcgi_param X_ORIGINAL_URI $original_uri;
|
||||||
}
|
}
|
||||||
|
|
||||||
# Client requests
|
# Client requests
|
||||||
location / {
|
location / {
|
||||||
auth_request /lmauth;
|
auth_request /lmauth;
|
||||||
|
set $original_uri $uri$is_args$args;
|
||||||
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
|
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
|
||||||
auth_request_set $lmlocation $upstream_http_location;
|
auth_request_set $lmlocation $upstream_http_location;
|
||||||
error_page 401 $lmlocation;
|
error_page 401 $lmlocation;
|
||||||
|
|
|
@ -147,7 +147,7 @@ Then you can take any virtual host and modify it:
|
||||||
fastcgi_param HOST $http_host;
|
fastcgi_param HOST $http_host;
|
||||||
|
|
||||||
# Keep original request (LLNG server will receive /lmauth)
|
# Keep original request (LLNG server will receive /lmauth)
|
||||||
fastcgi_param X_ORIGINAL_URI $request_uri;
|
fastcgi_param X_ORIGINAL_URI $original_uri;
|
||||||
}
|
}
|
||||||
|
|
||||||
- Protect the application (/ or /path/to/protect):
|
- Protect the application (/ or /path/to/protect):
|
||||||
|
@ -156,6 +156,7 @@ Then you can take any virtual host and modify it:
|
||||||
|
|
||||||
location /path/to/protect {
|
location /path/to/protect {
|
||||||
auth_request /lmauth;
|
auth_request /lmauth;
|
||||||
|
set $original_uri $uri$is_args$args;
|
||||||
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
|
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
|
||||||
auth_request_set $lmlocation $upstream_http_location;
|
auth_request_set $lmlocation $upstream_http_location;
|
||||||
auth_request_set $cookie_value $upstream_http_set_cookie;
|
auth_request_set $cookie_value $upstream_http_set_cookie;
|
||||||
|
@ -220,12 +221,13 @@ Example of a protected virtual host for a local application:
|
||||||
# Keep original hostname
|
# Keep original hostname
|
||||||
fastcgi_param HOST $http_host;
|
fastcgi_param HOST $http_host;
|
||||||
# Keep original request (LLNG server will receive /lmauth)
|
# Keep original request (LLNG server will receive /lmauth)
|
||||||
fastcgi_param X_ORIGINAL_URI $request_uri;
|
fastcgi_param X_ORIGINAL_URI $original_uri;
|
||||||
}
|
}
|
||||||
|
|
||||||
# Client requests
|
# Client requests
|
||||||
location ~ \.php$ {
|
location ~ \.php$ {
|
||||||
auth_request /lmauth;
|
auth_request /lmauth;
|
||||||
|
set $original_uri $uri$is_args$args;
|
||||||
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
|
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
|
||||||
auth_request_set $lmlocation $upstream_http_location;
|
auth_request_set $lmlocation $upstream_http_location;
|
||||||
error_page 401 $lmlocation;
|
error_page 401 $lmlocation;
|
||||||
|
@ -280,12 +282,13 @@ Reverse proxy
|
||||||
# Keep original hostname
|
# Keep original hostname
|
||||||
fastcgi_param HOST $http_host;
|
fastcgi_param HOST $http_host;
|
||||||
# Keep original request (LLNG server will receive /lmauth)
|
# Keep original request (LLNG server will receive /lmauth)
|
||||||
fastcgi_param X_ORIGINAL_URI $request_uri;
|
fastcgi_param X_ORIGINAL_URI $original_uri;
|
||||||
}
|
}
|
||||||
|
|
||||||
# Client requests
|
# Client requests
|
||||||
location / {
|
location / {
|
||||||
auth_request /lmauth;
|
auth_request /lmauth;
|
||||||
|
set $original_uri $uri$is_args$args;
|
||||||
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
|
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
|
||||||
auth_request_set $lmlocation $upstream_http_location;
|
auth_request_set $lmlocation $upstream_http_location;
|
||||||
error_page 401 $lmlocation;
|
error_page 401 $lmlocation;
|
||||||
|
@ -327,7 +330,7 @@ by different types of handler :
|
||||||
uwsgi_pass_request_body off;
|
uwsgi_pass_request_body off;
|
||||||
uwsgi_param CONTENT_LENGTH "";
|
uwsgi_param CONTENT_LENGTH "";
|
||||||
uwsgi_param HOST $http_host;
|
uwsgi_param HOST $http_host;
|
||||||
uwsgi_param X_ORIGINAL_URI $request_uri;
|
uwsgi_param X_ORIGINAL_URI $original_uri;
|
||||||
# Improve performances
|
# Improve performances
|
||||||
uwsgi_buffer_size 32k;
|
uwsgi_buffer_size 32k;
|
||||||
uwsgi_buffers 32 32k;
|
uwsgi_buffers 32 32k;
|
||||||
|
@ -342,7 +345,7 @@ by different types of handler :
|
||||||
uwsgi_pass_request_body off;
|
uwsgi_pass_request_body off;
|
||||||
uwsgi_param CONTENT_LENGTH "";
|
uwsgi_param CONTENT_LENGTH "";
|
||||||
uwsgi_param HOST $http_host;
|
uwsgi_param HOST $http_host;
|
||||||
uwsgi_param X_ORIGINAL_URI $request_uri;
|
uwsgi_param X_ORIGINAL_URI $original_uri;
|
||||||
uwsgi_param VHOSTTYPE AuthBasic;
|
uwsgi_param VHOSTTYPE AuthBasic;
|
||||||
# Improve performances
|
# Improve performances
|
||||||
uwsgi_buffer_size 32k;
|
uwsgi_buffer_size 32k;
|
||||||
|
@ -358,7 +361,7 @@ by different types of handler :
|
||||||
uwsgi_pass_request_body off;
|
uwsgi_pass_request_body off;
|
||||||
uwsgi_param CONTENT_LENGTH "";
|
uwsgi_param CONTENT_LENGTH "";
|
||||||
uwsgi_param HOST $http_host;
|
uwsgi_param HOST $http_host;
|
||||||
uwsgi_param X_ORIGINAL_URI $request_uri;
|
uwsgi_param X_ORIGINAL_URI $original_uri;
|
||||||
uwsgi_param VHOSTTYPE ServiceToken;
|
uwsgi_param VHOSTTYPE ServiceToken;
|
||||||
# Improve performances
|
# Improve performances
|
||||||
uwsgi_buffer_size 32k;
|
uwsgi_buffer_size 32k;
|
||||||
|
@ -371,6 +374,7 @@ by different types of handler :
|
||||||
# CALLING AUTHENTICATION #
|
# CALLING AUTHENTICATION #
|
||||||
##################################
|
##################################
|
||||||
auth_request /lmauth;
|
auth_request /lmauth;
|
||||||
|
set $original_uri $uri$is_args$args;
|
||||||
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
|
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
|
||||||
auth_request_set $lmremote_custom $upstream_http_lm_remote_custom;
|
auth_request_set $lmremote_custom $upstream_http_lm_remote_custom;
|
||||||
auth_request_set $lmlocation $upstream_http_location;
|
auth_request_set $lmlocation $upstream_http_location;
|
||||||
|
@ -389,6 +393,7 @@ by different types of handler :
|
||||||
# CALLING AUTHENTICATION #
|
# CALLING AUTHENTICATION #
|
||||||
##################################
|
##################################
|
||||||
auth_request /lmauth-basic;
|
auth_request /lmauth-basic;
|
||||||
|
set $original_uri $uri$is_args$args;
|
||||||
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
|
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
|
||||||
auth_request_set $lmremote_custom $upstream_http_lm_remote_custom;
|
auth_request_set $lmremote_custom $upstream_http_lm_remote_custom;
|
||||||
auth_request_set $lmlocation $upstream_http_location;
|
auth_request_set $lmlocation $upstream_http_location;
|
||||||
|
@ -407,6 +412,7 @@ by different types of handler :
|
||||||
# CALLING AUTHENTICATION #
|
# CALLING AUTHENTICATION #
|
||||||
##################################
|
##################################
|
||||||
auth_request /lmauth-service;
|
auth_request /lmauth-service;
|
||||||
|
set $original_uri $uri$is_args$args;
|
||||||
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
|
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
|
||||||
auth_request_set $lmlocation $upstream_http_location;
|
auth_request_set $lmlocation $upstream_http_location;
|
||||||
# Remove this for AuthBasic handler
|
# Remove this for AuthBasic handler
|
||||||
|
|
|
@ -109,6 +109,8 @@ Options
|
||||||
application.
|
application.
|
||||||
- **User attribute** : session field that will be used as main
|
- **User attribute** : session field that will be used as main
|
||||||
identifier.
|
identifier.
|
||||||
|
- **Authentication Level** : required authentication level to access this
|
||||||
|
application
|
||||||
- **Rule** : The access control rule to enforce on this application. If
|
- **Rule** : The access control rule to enforce on this application. If
|
||||||
left blank, access will be allowed for everyone.
|
left blank, access will be allowed for everyone.
|
||||||
|
|
||||||
|
|
|
@ -268,7 +268,8 @@ Options
|
||||||
https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess
|
https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess
|
||||||
for details. These offline sessions can be administered through
|
for details. These offline sessions can be administered through
|
||||||
the Session Browser.
|
the Session Browser.
|
||||||
- **Allow OAuth2.0 Password Grant** (since version ``2.0.8``) Allow the use of the Resource Owner Password Credentials Grant on by this client. This feature only works if you have configured a form-based authentication module.
|
- **Allow OAuth2.0 Password Grant** (since version ``2.0.8``): Allow the use of the Resource Owner Password Credentials Grant on by this client. This feature only works if you have configured a form-based authentication module.
|
||||||
|
- **Authentication Level**: required authentication level to access this application
|
||||||
- **Access Rule**: lets you specify a :doc:`Perl rule<rules_examples>` to restrict access to this client
|
- **Access Rule**: lets you specify a :doc:`Perl rule<rules_examples>` to restrict access to this client
|
||||||
|
|
||||||
- **Logout**
|
- **Logout**
|
||||||
|
|
|
@ -162,10 +162,12 @@ These options override service signature options (see
|
||||||
Security
|
Security
|
||||||
''''''''
|
''''''''
|
||||||
|
|
||||||
- **Encryption mode**: set the encryption mode for this IDP (None,
|
- **Encryption mode**: set the encryption mode for this SP (None,
|
||||||
NameID or Assertion).
|
NameID or Assertion).
|
||||||
- **Enable use of IDP initiated URL**: set to ``On`` to enable IDP
|
- **Enable use of IDP initiated URL**: set to ``On`` to enable IDP
|
||||||
Initiated URL on this SP.
|
Initiated URL on this SP.
|
||||||
|
- **Authentication Level**: required authentication level to access this SP
|
||||||
|
- **Access Rule**: lets you specify a :doc:`Perl rule<rules_examples>` to restrict access to this SP
|
||||||
|
|
||||||
|
|
||||||
.. tip::
|
.. tip::
|
||||||
|
|
|
@ -89,6 +89,14 @@ Parameters:
|
||||||
- **ldapAttributeId**: RDN attribute of configuration entry (optional)
|
- **ldapAttributeId**: RDN attribute of configuration entry (optional)
|
||||||
- **ldapAttributeContent**: attribute used to store configuration
|
- **ldapAttributeContent**: attribute used to store configuration
|
||||||
values, must be multivalued (optional)
|
values, must be multivalued (optional)
|
||||||
|
- **ldapVerify**: When using a LDAPS or TLS server, whether or not to validate the server certificate. Possible values: ``require``, ``optional`` or ``none``.
|
||||||
|
- **ldapCAFile**: This allows you to override the default system-wide
|
||||||
|
certificate authorities by giving a single file containing the CA used by the
|
||||||
|
LDAP server.
|
||||||
|
- **ldapCAPath**: This allows you to override the default system-wide
|
||||||
|
certificate authorities by giving the path of a directory containing your
|
||||||
|
trusted certificates.
|
||||||
|
|
||||||
|
|
||||||
.. |image0| image:: /documentation/configuration-ldap.png
|
.. |image0| image:: /documentation/configuration-ldap.png
|
||||||
:class: align-center
|
:class: align-center
|
||||||
|
|
|
@ -54,6 +54,9 @@ Name Comment Default value
|
||||||
**ldapObjectClass** Objectclass of the entry applicationProcess
|
**ldapObjectClass** Objectclass of the entry applicationProcess
|
||||||
**ldapAttributeId** Attribute storing session ID cn
|
**ldapAttributeId** Attribute storing session ID cn
|
||||||
**ldapAttributeContent** Attribute storing session content description
|
**ldapAttributeContent** Attribute storing session content description
|
||||||
|
**ldapVerify** Perform certificate validation require (use none to disable)
|
||||||
|
**ldapCAFile** Path of CA file bundle (system CA bundle)
|
||||||
|
**ldapCAPath** Perform CA directory (system CA bundle)
|
||||||
======================== ================================= ===============================
|
======================== ================================= ===============================
|
||||||
|
|
||||||
Security
|
Security
|
||||||
|
|
|
@ -69,12 +69,13 @@ Nginx configuration
|
||||||
fastcgi_param HOST $http_host;
|
fastcgi_param HOST $http_host;
|
||||||
|
|
||||||
# Keep original request (LLNG server will receive /lmauth)
|
# Keep original request (LLNG server will receive /lmauth)
|
||||||
fastcgi_param X_ORIGINAL_URI $request_uri;
|
fastcgi_param X_ORIGINAL_URI $original_uri;
|
||||||
}
|
}
|
||||||
|
|
||||||
# Client requests
|
# Client requests
|
||||||
location / {
|
location / {
|
||||||
auth_request /lmauth;
|
auth_request /lmauth;
|
||||||
|
set $original_uri $uri$is_args$args;
|
||||||
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
|
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
|
||||||
auth_request_set $lmlocation $upstream_http_location;
|
auth_request_set $lmlocation $upstream_http_location;
|
||||||
error_page 401 $lmlocation;
|
error_page 401 $lmlocation;
|
||||||
|
|
|
@ -12,8 +12,6 @@ Parameter list
|
||||||
Main parameters
|
Main parameters
|
||||||
---------------
|
---------------
|
||||||
|
|
||||||
<sortable 1>
|
|
||||||
|
|
||||||
======================================================= ==================================================================================== ====== ======= ======= =============
|
======================================================= ==================================================================================== ====== ======= ======= =============
|
||||||
Key name Documentation Portal Handler Manager ini file only
|
Key name Documentation Portal Handler Manager ini file only
|
||||||
======================================================= ==================================================================================== ====== ======= ======= =============
|
======================================================= ==================================================================================== ====== ======= ======= =============
|
||||||
|
@ -43,11 +41,11 @@ available2FSelfRegistration Available self-registrat
|
||||||
browsersDontStorePassword Avoid browsers to store users password ✔
|
browsersDontStorePassword Avoid browsers to store users password ✔
|
||||||
bruteForceProtection Enable brute force attack protection ✔
|
bruteForceProtection Enable brute force attack protection ✔
|
||||||
bruteForceProtectionIncrementalTempo Enable incremental lock time for brute force attack protection ✔
|
bruteForceProtectionIncrementalTempo Enable incremental lock time for brute force attack protection ✔
|
||||||
bruteForceProtectionLockTimes Incremental lock time values for brute force attack protection ✔ ✔
|
bruteForceProtectionLockTimes Incremental lock time values for brute force attack protection ✔
|
||||||
bruteForceProtectionMaxAge Brute force attack protection -> Max age between last and first allowed failed login ✔ ✔
|
bruteForceProtectionMaxAge Brute force attack protection -> Max age between last and first allowed failed login ✔ ✔
|
||||||
bruteForceProtectionMaxFailed Brute force attack protection -> Max allowed failed login ✔ ✔
|
bruteForceProtectionMaxFailed Brute force attack protection -> Max allowed failed login ✔
|
||||||
bruteForceProtectionMaxLockTime Brute force attack protection -> Max lock time ✔ ✔
|
bruteForceProtectionMaxLockTime Brute force attack protection -> Max lock time ✔ ✔
|
||||||
bruteForceProtectionTempo Brute force attack protection -> Tempo before try again ✔ ✔
|
bruteForceProtectionTempo Brute force attack protection -> Tempo before try again ✔
|
||||||
captcha_login_enabled Captcha on login page ✔
|
captcha_login_enabled Captcha on login page ✔
|
||||||
captcha_mail_enabled Captcha on password reset page ✔
|
captcha_mail_enabled Captcha on password reset page ✔
|
||||||
captcha_register_enabled Captcha on account creation page ✔
|
captcha_register_enabled Captcha on account creation page ✔
|
||||||
|
@ -85,6 +83,7 @@ checkUserDisplayPersistentInfo Display persistent sessi
|
||||||
checkUserHiddenAttributes Attributes to hide in CheckUser plugin ✔
|
checkUserHiddenAttributes Attributes to hide in CheckUser plugin ✔
|
||||||
checkUserIdRule checkUser identities rule ✔
|
checkUserIdRule checkUser identities rule ✔
|
||||||
checkUserSearchAttributes Attributes used for retrieving sessions in user DataBase ✔
|
checkUserSearchAttributes Attributes used for retrieving sessions in user DataBase ✔
|
||||||
|
checkUserUnrestrictedUsersRule checkUser unrestricted users rule ✔
|
||||||
checkXSS Check XSS ✔
|
checkXSS Check XSS ✔
|
||||||
combModules Combination module description ✔
|
combModules Combination module description ✔
|
||||||
combination Combination rule ✔
|
combination Combination rule ✔
|
||||||
|
@ -95,6 +94,7 @@ contextSwitchingIdRule Context switching identi
|
||||||
contextSwitchingPrefix Prefix to store real session Id ✔ ✔
|
contextSwitchingPrefix Prefix to store real session Id ✔ ✔
|
||||||
contextSwitchingRule Context switching activation rule ✔
|
contextSwitchingRule Context switching activation rule ✔
|
||||||
contextSwitchingStopWithLogout Stop context switching by logout ✔
|
contextSwitchingStopWithLogout Stop context switching by logout ✔
|
||||||
|
contextSwitchingUnrestrictedUsersRule Context switching unrestricted users rule ✔
|
||||||
cookieExpiration Cookie expiration ✔ ✔
|
cookieExpiration Cookie expiration ✔ ✔
|
||||||
cookieName Name of the main cookie ✔ ✔
|
cookieName Name of the main cookie ✔ ✔
|
||||||
corsAllow_Credentials Allow credentials for Cross-Origin Resource Sharing ✔
|
corsAllow_Credentials Allow credentials for Cross-Origin Resource Sharing ✔
|
||||||
|
@ -190,6 +190,7 @@ impersonationMergeSSOgroups Merge spoofed and real S
|
||||||
impersonationPrefix Prefix to rename real session attributes ✔ ✔
|
impersonationPrefix Prefix to rename real session attributes ✔ ✔
|
||||||
impersonationRule Impersonation activation rule ✔
|
impersonationRule Impersonation activation rule ✔
|
||||||
impersonationSkipEmptyValues Skip session empty values ✔
|
impersonationSkipEmptyValues Skip session empty values ✔
|
||||||
|
impersonationUnrestrictedUsersRule Impersonation unrestricted users rule ✔
|
||||||
infoFormMethod HTTP method for info page form ✔
|
infoFormMethod HTTP method for info page form ✔
|
||||||
issuerDBCASActivation CAS server activation ✔
|
issuerDBCASActivation CAS server activation ✔
|
||||||
issuerDBCASPath CAS server request path ✔
|
issuerDBCASPath CAS server request path ✔
|
||||||
|
@ -217,6 +218,8 @@ krbRemoveDomain Remove domain in Kerbero
|
||||||
ldapAllowResetExpiredPassword Allow a user to reset his expired password ✔
|
ldapAllowResetExpiredPassword Allow a user to reset his expired password ✔
|
||||||
ldapAuthnLevel LDAP authentication level ✔
|
ldapAuthnLevel LDAP authentication level ✔
|
||||||
ldapBase LDAP search base ✔
|
ldapBase LDAP search base ✔
|
||||||
|
ldapCAFile Location of the certificate file for LDAP connections ✔
|
||||||
|
ldapCAPath Location of the CA directory for LDAP connections ✔
|
||||||
ldapChangePasswordAsUser ✔
|
ldapChangePasswordAsUser ✔
|
||||||
ldapExportedVars LDAP exported variables ✔
|
ldapExportedVars LDAP exported variables ✔
|
||||||
ldapGroupAttributeName LDAP attribute name for member in groups ✔
|
ldapGroupAttributeName LDAP attribute name for member in groups ✔
|
||||||
|
@ -234,11 +237,12 @@ ldapPort LDAP port
|
||||||
ldapPpolicyControl ✔
|
ldapPpolicyControl ✔
|
||||||
ldapPwdEnc LDAP password encoding ✔
|
ldapPwdEnc LDAP password encoding ✔
|
||||||
ldapRaw ✔
|
ldapRaw ✔
|
||||||
ldapSearchDeref "deref" param of Net::LDAP::search () ✔
|
ldapSearchDeref "deref" param of Net::LDAP::search() ✔
|
||||||
ldapServer LDAP server (host or URI) ✔
|
ldapServer LDAP server (host or URI) ✔
|
||||||
ldapSetPassword ✔
|
ldapSetPassword ✔
|
||||||
ldapTimeout LDAP connection timeout ✔
|
ldapTimeout LDAP connection timeout ✔
|
||||||
ldapUsePasswordResetAttribute LDAP store reset flag in an attribute ✔
|
ldapUsePasswordResetAttribute LDAP store reset flag in an attribute ✔
|
||||||
|
ldapVerify Whether to validate LDAP certificates ✔
|
||||||
ldapVersion LDAP protocol version ✔
|
ldapVersion LDAP protocol version ✔
|
||||||
linkedInAuthnLevel LinkedIn authentication level ✔
|
linkedInAuthnLevel LinkedIn authentication level ✔
|
||||||
linkedInClientID ✔
|
linkedInClientID ✔
|
||||||
|
@ -434,11 +438,13 @@ rest2fLabel Portal label for REST se
|
||||||
rest2fLogo Custom logo for REST 2F ✔
|
rest2fLogo Custom logo for REST 2F ✔
|
||||||
rest2fVerifyArgs Args for REST 2F init ✔
|
rest2fVerifyArgs Args for REST 2F init ✔
|
||||||
rest2fVerifyUrl REST 2F init URL ✔
|
rest2fVerifyUrl REST 2F init URL ✔
|
||||||
|
restAuthServer Enable REST authentication server ✔
|
||||||
restAuthUrl ✔
|
restAuthUrl ✔
|
||||||
restAuthnLevel REST authentication level ✔
|
restAuthnLevel REST authentication level ✔
|
||||||
restClockTolerance How tolerant the REST session server will be to clock dift ✔
|
restClockTolerance How tolerant the REST session server will be to clock dift ✔
|
||||||
restConfigServer Enable REST config server ✔
|
restConfigServer Enable REST config server ✔
|
||||||
restExportSecretKeys Allow to export secret keys in REST session server ✔
|
restExportSecretKeys Allow to export secret keys in REST session server ✔
|
||||||
|
restPasswordServer Enable REST password reset server ✔
|
||||||
restPwdConfirmUrl ✔
|
restPwdConfirmUrl ✔
|
||||||
restPwdModifyUrl ✔
|
restPwdModifyUrl ✔
|
||||||
restSessionServer Enable REST session server ✔
|
restSessionServer Enable REST session server ✔
|
||||||
|
@ -509,6 +515,7 @@ sessionDataToRemember Data to remember in logi
|
||||||
sfEngine Second factor engine ✔ ✔
|
sfEngine Second factor engine ✔ ✔
|
||||||
sfExtra Extra second factors ✔
|
sfExtra Extra second factors ✔
|
||||||
sfManagerRule Rule to display second factor Manager link ✔
|
sfManagerRule Rule to display second factor Manager link ✔
|
||||||
|
sfOnlyUpgrade Only trigger second factor on session upgrade ✔
|
||||||
sfRemovedMsgRule Display a message if at leat one expired SF has been removed ✔
|
sfRemovedMsgRule Display a message if at leat one expired SF has been removed ✔
|
||||||
sfRemovedNotifMsg Notification message ✔
|
sfRemovedNotifMsg Notification message ✔
|
||||||
sfRemovedNotifRef Notification reference ✔
|
sfRemovedNotifRef Notification reference ✔
|
||||||
|
@ -520,6 +527,7 @@ singleIP Allow only one session p
|
||||||
singleSession Allow only one session per user ✔
|
singleSession Allow only one session per user ✔
|
||||||
singleUserByIP Allow only one user per IP ✔
|
singleUserByIP Allow only one user per IP ✔
|
||||||
skipRenewConfirmation Avoid asking confirmation when an Issuer asks to renew auth ✔
|
skipRenewConfirmation Avoid asking confirmation when an Issuer asks to renew auth ✔
|
||||||
|
skipUpgradeConfirmation Avoid asking confirmation during a session upgrade ✔
|
||||||
slaveAuthnLevel Slave authentication level ✔
|
slaveAuthnLevel Slave authentication level ✔
|
||||||
slaveDisplayLogo Display Slave authentication logo ✔
|
slaveDisplayLogo Display Slave authentication logo ✔
|
||||||
slaveExportedVars Slave exported variables ✔
|
slaveExportedVars Slave exported variables ✔
|
||||||
|
@ -593,6 +601,7 @@ wsdlServer Enable /portal.wsdl serv
|
||||||
yubikey2fActivation Yubikey second factor activation ✔
|
yubikey2fActivation Yubikey second factor activation ✔
|
||||||
yubikey2fAuthnLevel Authentication level for users authentified by Yubikey second factor ✔
|
yubikey2fAuthnLevel Authentication level for users authentified by Yubikey second factor ✔
|
||||||
yubikey2fClientID Yubico client ID ✔
|
yubikey2fClientID Yubico client ID ✔
|
||||||
|
yubikey2fFromSessionAttribute Provision yubikey from the given session variable ✔
|
||||||
yubikey2fLabel Portal label for Yubikey second factor ✔
|
yubikey2fLabel Portal label for Yubikey second factor ✔
|
||||||
yubikey2fLogo Custom logo for Yubikey 2F ✔
|
yubikey2fLogo Custom logo for Yubikey 2F ✔
|
||||||
yubikey2fNonce Yubico nonce ✔
|
yubikey2fNonce Yubico nonce ✔
|
||||||
|
@ -609,8 +618,6 @@ zimbraSsoUrl Zimbra local SSO URL pat
|
||||||
zimbraUrl Zimbra preauthentication URL ✔ ✔
|
zimbraUrl Zimbra preauthentication URL ✔ ✔
|
||||||
======================================================= ==================================================================================== ====== ======= ======= =============
|
======================================================= ==================================================================================== ====== ======= ======= =============
|
||||||
|
|
||||||
</sortable>
|
|
||||||
|
|
||||||
*[1]: complex nodes*
|
*[1]: complex nodes*
|
||||||
|
|
||||||
Configuration backend parameters
|
Configuration backend parameters
|
||||||
|
|
|
@ -34,7 +34,7 @@ attribute you see there can be used in a rule!
|
||||||
$groups =~ /\b(?:admins|su)\b/ # admins OR su
|
$groups =~ /\b(?:admins|su)\b/ # admins OR su
|
||||||
$groups =~ /\badmin_[1-3a]\b/ # admin_1 OR admin_2 OR admin_3 OR admin_a
|
$groups =~ /\badmin_[1-3a]\b/ # admin_1 OR admin_2 OR admin_3 OR admin_a
|
||||||
|
|
||||||
defined $hGroups{'administrators'}
|
defined $hGroups->{'administrators'}
|
||||||
|
|
||||||
# 2.0.8 and higher only
|
# 2.0.8 and higher only
|
||||||
inGroup('administrators')
|
inGroup('administrators')
|
||||||
|
|
|
@ -29,22 +29,44 @@ The E-Mail, External and REST 2F modules
|
||||||
parameters.
|
parameters.
|
||||||
|
|
||||||
|
|
||||||
.. tip::
|
Registration on first use
|
||||||
|
-------------------------
|
||||||
|
|
||||||
If you want to force a 2F registration on first login, you can
|
If you want to force a 2F registration on first login, you can use the *Force
|
||||||
use 'Require 2FA'. You can also use a rule to force 2FA registration
|
2FA registration at login* option.
|
||||||
only for some users.
|
|
||||||
.. tip::
|
|
||||||
|
|
||||||
You can display a message if an
|
You can use a `rule<writingrulesand_headers>` to enable this behavior only for
|
||||||
expired second factor has been removed by enabling 'Display a message if
|
some users.
|
||||||
an expired SF is removed' option or setting a rule.
|
|
||||||
|
|
||||||
.. tip::
|
Second factor expiration
|
||||||
|
------------------------
|
||||||
|
|
||||||
Link to second factor Manager is automatically display if at least a
|
You can display a message if an expired second factor has been removed by
|
||||||
SFA module is enabled. You can set a rule to display or not the
|
enabling *Display a message if an expired SF is removed* option or setting a
|
||||||
link.
|
rule.
|
||||||
|
|
||||||
|
Self-care on Portal
|
||||||
|
-------------------
|
||||||
|
|
||||||
|
User may register second facrots themselves on the Portal by using the 2FA Manager.
|
||||||
|
|
||||||
|
The link will be displayed if at least a SFA module is enabled. You can set a
|
||||||
|
rule to display or not the link.
|
||||||
|
|
||||||
|
Session upgrade through 2FA
|
||||||
|
---------------------------
|
||||||
|
|
||||||
|
|beta|
|
||||||
|
|
||||||
|
If you enable the *Use 2FA for session upgrade* option, second factor will only
|
||||||
|
be asked on login if the target application requires an authentication level
|
||||||
|
that is strictly higher than the one obtained by the Authentication backend
|
||||||
|
(first factor).
|
||||||
|
|
||||||
|
The session upgrade mechanism will only require the second factor step, instead
|
||||||
|
of doing a complete reauthentication.
|
||||||
|
|
||||||
|
.. |beta| image:: /documentation/beta.png
|
||||||
|
|
||||||
Providing tokens from an external source
|
Providing tokens from an external source
|
||||||
----------------------------------------
|
----------------------------------------
|
||||||
|
@ -100,4 +122,3 @@ To enable manager Second Factor Administration Module, set
|
||||||
|
|
||||||
[portal]
|
[portal]
|
||||||
enabledModules = conf, sessions, notifications, 2ndFA
|
enabledModules = conf, sessions, notifications, 2ndFA
|
||||||
|
|
||||||
|
|
|
@ -38,7 +38,7 @@ You can find the configuration for this feature in
|
||||||
|
|
||||||
- ``$homeMail`` : this second factor will only trigger if the
|
- ``$homeMail`` : this second factor will only trigger if the
|
||||||
``$homeMail`` session key exists
|
``$homeMail`` session key exists
|
||||||
- ``defined $hGroups{'admin'}`` : this second factor will only
|
- ``defined $hGroups->{'admin'}`` : this second factor will only
|
||||||
trigger if the user is in the ``admin`` group
|
trigger if the user is in the ``admin`` group
|
||||||
|
|
||||||
After adding your second factors, don't forget to add overload
|
After adding your second factors, don't forget to add overload
|
||||||
|
|
|
@ -75,7 +75,7 @@ request authorization from a central FastCGI server:
|
||||||
# Keep original hostname
|
# Keep original hostname
|
||||||
fastcgi_param HOST $http_host;
|
fastcgi_param HOST $http_host;
|
||||||
# Keep original request (LLNG server will received /lmauth)
|
# Keep original request (LLNG server will received /lmauth)
|
||||||
fastcgi_param X_ORIGINAL_URI $request_uri;
|
fastcgi_param X_ORIGINAL_URI $original_uri;
|
||||||
|
|
||||||
# Set dynamically rules (LLNG will poll it every 10 mn)
|
# Set dynamically rules (LLNG will poll it every 10 mn)
|
||||||
fastcgi_param RULES_URL http://rulesserver/my.json
|
fastcgi_param RULES_URL http://rulesserver/my.json
|
||||||
|
@ -87,6 +87,7 @@ request authorization from a central FastCGI server:
|
||||||
}
|
}
|
||||||
location ~ ^(.*\.php)$ {
|
location ~ ^(.*\.php)$ {
|
||||||
auth_request /lmauth;
|
auth_request /lmauth;
|
||||||
|
set $original_uri $uri$is_args$args;
|
||||||
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
|
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
|
||||||
auth_request_set $lmlocation $upstream_http_location;
|
auth_request_set $lmlocation $upstream_http_location;
|
||||||
error_page 401 $lmlocation;
|
error_page 401 $lmlocation;
|
||||||
|
@ -232,7 +233,7 @@ directory.
|
||||||
# Keep original hostname
|
# Keep original hostname
|
||||||
fastcgi_param HOST $http_host;
|
fastcgi_param HOST $http_host;
|
||||||
# Keep original request (LLNG server will received /lmauth)
|
# Keep original request (LLNG server will received /lmauth)
|
||||||
fastcgi_param X_ORIGINAL_URI $request_uri;
|
fastcgi_param X_ORIGINAL_URI $original_uri;
|
||||||
}
|
}
|
||||||
location /rules.json {
|
location /rules.json {
|
||||||
auth_request off;
|
auth_request off;
|
||||||
|
@ -241,6 +242,7 @@ directory.
|
||||||
}
|
}
|
||||||
location / {
|
location / {
|
||||||
auth_request /lmauth;
|
auth_request /lmauth;
|
||||||
|
set $original_uri $uri$is_args$args;
|
||||||
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
|
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
|
||||||
auth_request_set $lmlocation $upstream_http_location;
|
auth_request_set $lmlocation $upstream_http_location;
|
||||||
error_page 401 $lmlocation;
|
error_page 401 $lmlocation;
|
||||||
|
|
|
@ -20,24 +20,84 @@ backups and a rollback plan ready!
|
||||||
2.0.9
|
2.0.9
|
||||||
-----
|
-----
|
||||||
|
|
||||||
- | Bad default value to display OIDC Consents tab has been fixed.
|
- Bad default value to display OIDC Consents tab has been fixed.
|
||||||
| The default value is ``$_oidcConsents && $_oidcConsents =~ /\w+/``
|
The default value is now: ``$_oidcConsents && $_oidcConsents =~ /\w+/``
|
||||||
- Some user log messages have been modified, check :doc:`logs documentation <logs>`
|
- Some user log messages have been modified, check :doc:`logs documentation <logs>`
|
||||||
(see also `#2244 <https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/2244>`__)
|
(see also `#2244 <https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/2244>`__)
|
||||||
- SAML SOAP calls are now using ``text/xml`` instead of ``application/xml`` as the MIME Content Type, as required by `the SOAP standard <https://www.w3.org/TR/2000/NOTE-SOAP-20000508/#_Toc478383526>`__
|
- SAML SOAP calls are now using ``text/xml`` instead of ``application/xml`` as the MIME Content Type, as required by `the SOAP standard <https://www.w3.org/TR/2000/NOTE-SOAP-20000508/#_Toc478383526>`__
|
||||||
- The default config/session cache directory has been moved from ``/tmp`` to
|
- Incremental lock times values can now be set in BruteForceProtection plugin through Manager.
|
||||||
``/var/cache/lemonldap-ng`` in order to avoid `issues with cache purges
|
It must be a list of comma separated values. Default values are ``5, 15, 60, 300, 600``
|
||||||
<https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2254>`__ when
|
|
||||||
using Systemd. This change is only applied to new installations. If your
|
Cookie issues with Chrome
|
||||||
installation is experiencing cache purge issues, you
|
~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
need to manually change your existing
|
|
||||||
``localSessionStorageOptions/cache_root`` parameter from ``/tmp`` to
|
This release fixes several issues related to the change in SameSite cookie
|
||||||
``/var/cache/lemonldap-ng``.
|
policy for Google Chrome users. The new default value of the SameSite
|
||||||
- This release fixes several issues when using ``SameSite=None``. The new
|
configuration parameter will set SameSite to ``Lax`` unless you are using SAML,
|
||||||
default value of the SameSite configuration parameter will set SameSite to
|
in which case it will be set to ``None``.
|
||||||
``Lax`` unless you are using SAML, which requires ``None``
|
|
||||||
- Incremental lock times values can now be set by using Manager.
|
This means that from now on, any LemonLDAP::NG installation using SAML must be
|
||||||
It must a list of comma separated values. Default values are ``5, 15, 60, 300, 600``
|
served over HTTPS, as SameSite ``None`` value requires the ``Secure`` flag in cookie.
|
||||||
|
|
||||||
|
Change in default cache directory
|
||||||
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
The default config/session cache directory has been moved from ``/tmp`` to
|
||||||
|
``/var/cache/lemonldap-ng`` in order to avoid `issues with cache purges
|
||||||
|
<https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2254>`__ when using
|
||||||
|
Systemd. This change is only applied to new installations. If your
|
||||||
|
installation is experiencing cache purge issues, you need to manually change
|
||||||
|
your existing ``localSessionStorageOptions/cache_root`` parameter from ``/tmp``
|
||||||
|
to ``/var/cache/lemonldap-ng``. Be sure to create this directory on your
|
||||||
|
file system before modifying your configuration.
|
||||||
|
|
||||||
|
|
||||||
|
Required changes in NGINX handler rules (CVE-2020-24660)
|
||||||
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
We discovered a vulnerability that affects LemonLDAP::NG installations when ALL of the following criteria apply:
|
||||||
|
|
||||||
|
* You are using the :doc:`LemonLDAP::NG Handler<configvhost>` to protect applications
|
||||||
|
* Your handler server uses Nginx
|
||||||
|
* Your virtual host configuration contains per-URL access rules based on
|
||||||
|
regular expressions in addition to the built-in *default* access rule.
|
||||||
|
|
||||||
|
.. note::
|
||||||
|
|
||||||
|
You are safe from this vulnerability if your virtualhost only uses a regexp-based rule to trigger logout
|
||||||
|
|
||||||
|
If you are in this situation, you need to modify *all* your handler-protected
|
||||||
|
virtualhosts by making the following change:
|
||||||
|
|
||||||
|
* Replace ``fastcgi_param X_ORIGINAL_URI $request_uri`` by ``fastcgi_param X_ORIGINAL_URI $original_uri`` if you are using FastCGI
|
||||||
|
* Replace ``uwsgi_param X_ORIGINAL_URI $request_uri`` by ``uwsgi_param X_ORIGINAL_URI $original_uri`` if you are using uWSGI
|
||||||
|
* Right after ``auth_request /lmauth;``, add the following line ::
|
||||||
|
|
||||||
|
set $original_uri $uri$is_args$args;
|
||||||
|
|
||||||
|
You can check the :doc:`configvhost` page for more information
|
||||||
|
|
||||||
|
LDAP certificate validation (CVE-2020-16093)
|
||||||
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
LDAP server certificates were previously not verified by default when using secure transports (LDAPS or TLS), see `CVE-2020-16093 <https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2250>`__. Starting from this release, certificate validation is now enabled by default, including on existing installations.
|
||||||
|
|
||||||
|
If you have configured your CA certificates incorrectly, LemonLDAP::NG will now start complaining about invalid certificates. You may temporarily disable it again with the following command ::
|
||||||
|
|
||||||
|
/your/path/to/lemonldap-ng-cli set ldapVerify none
|
||||||
|
|
||||||
|
If you use LDAP as a configuration storage, and want to temporarily disable certificate validation, you must make the following addition to `/etc/lemonldap-ng/lemonldap-ng.ini` ::
|
||||||
|
|
||||||
|
[configuration]
|
||||||
|
...
|
||||||
|
ldapVerify = none
|
||||||
|
|
||||||
|
If you use LDAP as a session backend, you are strongly encouraged to also upgrade corresponding ``Apache::Session`` modules (``Apache::Session::LDAP`` or ``Apache::Session::Browseable``). After this upgrade, if you want to temporarily disable certificate validation, you can add the following parameter to the list of Apache::Session module options:
|
||||||
|
|
||||||
|
* key: ``ldapVerify``
|
||||||
|
* value: ``none``
|
||||||
|
|
||||||
|
Please note that it is HIGHLY recommended to set certificate validation to `require` when contacting LDAP servers over a secure transport to avoid man-in-the-middle attacks.
|
||||||
|
|
||||||
2.0.8
|
2.0.8
|
||||||
-----
|
-----
|
||||||
|
|
|
@ -1098,6 +1098,8 @@ components:
|
||||||
notOnOrAfterTimeout:
|
notOnOrAfterTimeout:
|
||||||
type: integer
|
type: integer
|
||||||
default: 72000
|
default: 72000
|
||||||
|
authnLevel:
|
||||||
|
type: integer
|
||||||
rule:
|
rule:
|
||||||
type: string
|
type: string
|
||||||
forceUTF8:
|
forceUTF8:
|
||||||
|
@ -1181,6 +1183,8 @@ components:
|
||||||
type: string
|
type: string
|
||||||
allowOffline:
|
allowOffline:
|
||||||
type: boolean
|
type: boolean
|
||||||
|
authnLevel:
|
||||||
|
type: integer
|
||||||
rule:
|
rule:
|
||||||
type: string
|
type: string
|
||||||
IDTokenSignAlg:
|
IDTokenSignAlg:
|
||||||
|
|
|
@ -73,6 +73,6 @@
|
||||||
],
|
],
|
||||||
"x_MailingList" : "mailto:lemonldap-ng-dev@ow2.org"
|
"x_MailingList" : "mailto:lemonldap-ng-dev@ow2.org"
|
||||||
},
|
},
|
||||||
"version" : "v2.0.8",
|
"version" : "v2.0.9",
|
||||||
"x_serialization_backend" : "JSON::PP version 4.02"
|
"x_serialization_backend" : "JSON::PP version 2.97001"
|
||||||
}
|
}
|
||||||
|
|
|
@ -51,5 +51,5 @@ resources:
|
||||||
X_twitter: https://twitter.com/lemonldapng
|
X_twitter: https://twitter.com/lemonldapng
|
||||||
homepage: http://lemonldap-ng.org/
|
homepage: http://lemonldap-ng.org/
|
||||||
license: http://opensource.org/licenses/GPL-2.0
|
license: http://opensource.org/licenses/GPL-2.0
|
||||||
version: v2.0.8
|
version: v2.0.9
|
||||||
x_serialization_backend: 'CPAN::Meta::YAML version 0.018'
|
x_serialization_backend: 'CPAN::Meta::YAML version 0.018'
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
package Lemonldap::NG::Common;
|
package Lemonldap::NG::Common;
|
||||||
|
|
||||||
our $VERSION = '2.0.8';
|
our $VERSION = '2.0.9';
|
||||||
|
|
||||||
1;
|
1;
|
||||||
__END__
|
__END__
|
||||||
|
|
|
@ -9,7 +9,7 @@ use Lemonldap::NG::Common::Apache::Session;
|
||||||
use Lemonldap::NG::Common::Session;
|
use Lemonldap::NG::Common::Session;
|
||||||
use Lemonldap::NG::Common::Util qw/getPSessionID genId2F/;
|
use Lemonldap::NG::Common::Util qw/getPSessionID genId2F/;
|
||||||
|
|
||||||
our $VERSION = '2.0.8';
|
our $VERSION = '2.0.9';
|
||||||
|
|
||||||
has opts => ( is => 'rw' );
|
has opts => ( is => 'rw' );
|
||||||
|
|
||||||
|
|
|
@ -27,7 +27,7 @@ use Config::IniFiles;
|
||||||
#inherits Lemonldap::NG::Common::Conf::Backends::SOAP
|
#inherits Lemonldap::NG::Common::Conf::Backends::SOAP
|
||||||
#inherits Lemonldap::NG::Common::Conf::Backends::LDAP
|
#inherits Lemonldap::NG::Common::Conf::Backends::LDAP
|
||||||
|
|
||||||
our $VERSION = '2.0.8';
|
our $VERSION = '2.0.9';
|
||||||
our $msg = '';
|
our $msg = '';
|
||||||
our $iniObj;
|
our $iniObj;
|
||||||
|
|
||||||
|
@ -480,7 +480,7 @@ sub delete {
|
||||||
my ( $self, $c ) = @_;
|
my ( $self, $c ) = @_;
|
||||||
my @a = $self->available();
|
my @a = $self->available();
|
||||||
if ( grep( /^$c$/, @a ) ) {
|
if ( grep( /^$c$/, @a ) ) {
|
||||||
return $self->_launch( 'delete', $self, $c );
|
return $self->_launch( 'delete', $c );
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
return 0;
|
return 0;
|
||||||
|
|
|
@ -5,7 +5,7 @@ use Lemonldap::NG::Common::Conf::Constants; #inherits
|
||||||
use JSON;
|
use JSON;
|
||||||
use Encode;
|
use Encode;
|
||||||
|
|
||||||
our $VERSION = '2.0.6';
|
our $VERSION = '2.0.9';
|
||||||
our $initDone;
|
our $initDone;
|
||||||
|
|
||||||
sub Lemonldap::NG::Common::Conf::_lock {
|
sub Lemonldap::NG::Common::Conf::_lock {
|
||||||
|
|
|
@ -92,7 +92,10 @@ sub ldap {
|
||||||
my $ldap = Net::LDAP->new(
|
my $ldap = Net::LDAP->new(
|
||||||
\@servers,
|
\@servers,
|
||||||
onerror => undef,
|
onerror => undef,
|
||||||
( $self->{ldapPort} ? ( port => $self->{ldapPort} ) : () ),
|
verify => ( $self->{ldapVerify} || "require" ),
|
||||||
|
( $self->{ldapCAFile} ? ( cafile => $self->{ldapCAFile} ) : () ),
|
||||||
|
( $self->{ldapCAPath} ? ( capath => $self->{ldapCAPath} ) : () ),
|
||||||
|
( $self->{ldapPort} ? ( port => $self->{ldapPort} ) : () ),
|
||||||
raw => => qr/(?i:^jpegPhoto|;binary)/
|
raw => => qr/(?i:^jpegPhoto|;binary)/
|
||||||
);
|
);
|
||||||
|
|
||||||
|
@ -100,12 +103,27 @@ sub ldap {
|
||||||
$Lemonldap::NG::Common::Conf::msg .= "$@\n";
|
$Lemonldap::NG::Common::Conf::msg .= "$@\n";
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
elsif ( $Net::LDAP::VERSION < '0.64' ) {
|
||||||
|
|
||||||
|
# CentOS7 has a bug in which IO::Socket::SSL will return a broken
|
||||||
|
# socket when certificate validation fails. Net::LDAP does not catch
|
||||||
|
# it, and the process ends up crashing.
|
||||||
|
# As a precaution, make sure the underlying socket is doing fine:
|
||||||
|
if ( $ldap->socket->isa('IO::Socket::SSL')
|
||||||
|
and $ldap->socket->errstr < 0 )
|
||||||
|
{
|
||||||
|
$Lemonldap::NG::Common::Conf::msg .=
|
||||||
|
"SSL connection error: " . $ldap->socket->errstr;
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
# Start TLS if needed
|
# Start TLS if needed
|
||||||
if ($useTls) {
|
if ($useTls) {
|
||||||
my %h = split( /[&=]/, $tlsParam );
|
my %h = split( /[&=]/, $tlsParam );
|
||||||
$h{cafile} = $self->{caFile} if ( $self->{caFile} );
|
$h{verify} ||= $self->{ldapVerify} || "require";
|
||||||
$h{capath} = $self->{caPath} if ( $self->{caPath} );
|
$h{cafile} ||= $self->{ldapCAFile} if ( $self->{ldapCAFile} );
|
||||||
|
$h{capath} ||= $self->{ldapCAPath} if ( $self->{ldapCAPath} );
|
||||||
my $start_tls = $ldap->start_tls(%h);
|
my $start_tls = $ldap->start_tls(%h);
|
||||||
if ( $start_tls->code ) {
|
if ( $start_tls->code ) {
|
||||||
$self->logError($start_tls);
|
$self->logError($start_tls);
|
||||||
|
|
|
@ -5,7 +5,7 @@ use Lemonldap::NG::Common::Conf::Constants; #inherits
|
||||||
use YAML qw();
|
use YAML qw();
|
||||||
use Encode;
|
use Encode;
|
||||||
|
|
||||||
our $VERSION = '2.0.6';
|
our $VERSION = '2.0.9';
|
||||||
our $initDone;
|
our $initDone;
|
||||||
$YAML::Numify = 1;
|
$YAML::Numify = 1;
|
||||||
|
|
||||||
|
|
|
@ -30,7 +30,7 @@ use constant DEFAULTCONFBACKENDOPTIONS => (
|
||||||
dirName => '/usr/local/lemonldap-ng/data/conf',
|
dirName => '/usr/local/lemonldap-ng/data/conf',
|
||||||
);
|
);
|
||||||
our $hashParameters = qr/^(?:(?:l(?:o(?:ca(?:lSessionStorageOption|tionRule)|goutService)|dapExportedVar|wp(?:Ssl)?Opt)|(?:(?:d(?:emo|bi)|facebook|webID)ExportedVa|exported(?:Heade|Va)|issuerDBGetParamete)r|re(?:moteGlobalStorageOption|st2f(?:Verify|Init)Arg|loadUrl)|g(?:r(?:antSessionRule|oup)|lobalStorageOption)|n(?:otificationStorageOption|ginxCustomHandler)|macro)s|o(?:idc(?:S(?:ervice(?:DynamicRegistrationEx(?:portedVar|traClaim)s|MetaDataAuthnContext)|torageOptions)|RPMetaData(?:(?:Option(?:sExtraClaim)?|ExportedVar|Macro)s|Node)|OPMetaData(?:(?:ExportedVar|Option)s|J(?:SON|WKS)|Node))|penIdExportedVars)|s(?:aml(?:S(?:PMetaData(?:(?:ExportedAttribute|Option|Macro)s|Node|XML)|torageOptions)|IDPMetaData(?:(?:ExportedAttribute|Option)s|Node|XML))|essionDataToRemember|laveExportedVars|fExtra)|c(?:as(?:A(?:ppMetaData(?:(?:ExportedVar|Option|Macro)s|Node)|ttributes)|S(?:rvMetaData(?:(?:ExportedVar|Option)s|Node)|torageOptions))|(?:ustom(?:Plugins|Add)Param|ombModule)s)|p(?:ersistentStorageOptions|o(?:rtalSkinRules|st))|a(?:ut(?:hChoiceMod|oSigninR)ules|pplicationList)|v(?:hostOptions|irtualHost)|S(?:MTPTLSOpts|SLVarIf))$/;
|
our $hashParameters = qr/^(?:(?:l(?:o(?:ca(?:lSessionStorageOption|tionRule)|goutService)|dapExportedVar|wp(?:Ssl)?Opt)|(?:(?:d(?:emo|bi)|facebook|webID)ExportedVa|exported(?:Heade|Va)|issuerDBGetParamete)r|re(?:moteGlobalStorageOption|st2f(?:Verify|Init)Arg|loadUrl)|g(?:r(?:antSessionRule|oup)|lobalStorageOption)|n(?:otificationStorageOption|ginxCustomHandler)|macro)s|o(?:idc(?:S(?:ervice(?:DynamicRegistrationEx(?:portedVar|traClaim)s|MetaDataAuthnContext)|torageOptions)|RPMetaData(?:(?:Option(?:sExtraClaim)?|ExportedVar|Macro)s|Node)|OPMetaData(?:(?:ExportedVar|Option)s|J(?:SON|WKS)|Node))|penIdExportedVars)|s(?:aml(?:S(?:PMetaData(?:(?:ExportedAttribute|Option|Macro)s|Node|XML)|torageOptions)|IDPMetaData(?:(?:ExportedAttribute|Option)s|Node|XML))|essionDataToRemember|laveExportedVars|fExtra)|c(?:as(?:A(?:ppMetaData(?:(?:ExportedVar|Option|Macro)s|Node)|ttributes)|S(?:rvMetaData(?:(?:ExportedVar|Option)s|Node)|torageOptions))|(?:ustom(?:Plugins|Add)Param|ombModule)s)|p(?:ersistentStorageOptions|o(?:rtalSkinRules|st))|a(?:ut(?:hChoiceMod|oSigninR)ules|pplicationList)|v(?:hostOptions|irtualHost)|S(?:MTPTLSOpts|SLVarIf))$/;
|
||||||
our $boolKeys = qr/^(?:s(?:aml(?:IDP(?:MetaDataOptions(?:(?:Check(?:S[LS]OMessageSignatur|Audienc|Tim)|IsPassiv)e|A(?:llow(?:LoginFromIDP|ProxiedAuthn)|daptSessionUtime)|Force(?:Authn|UTF8)|StoreSAMLToken|RelayStateURL)|SSODescriptorWantAuthnRequestsSigned)|S(?:P(?:MetaDataOptions(?:(?:CheckS[LS]OMessageSignatur|OneTimeUs)e|EnableIDPInitiatedURL|ForceUTF8)|SSODescriptor(?:WantAssertion|AuthnRequest)sSigned)|erviceUseCertificateInResponse)|DiscoveryProtocol(?:Activation|IsPassive)|CommonDomainCookieActivation|UseQueryStringSpecific|MetadataForceUTF8)|oap(?:Session|Config)Server|t(?:ayConnecte|orePasswor)d|kipRenewConfirmation|fRemovedUseNotif|laveDisplayLogo|howLanguages|slByAjax)|o(?:idc(?:RPMetaDataOptions(?:Allow(?:PasswordGrant|Offline)|Re(?:freshToken|quirePKCE)|LogoutSessionRequired|IDTokenForceClaims|BypassConsent|Public)|ServiceAllow(?:(?:AuthorizationCode|Implicit|Hybrid)Flow|DynamicRegistration)|OPMetaDataOptions(?:(?:CheckJWTSignatur|UseNonc)e|StoreIDToken))|ldNotifFormat)|p(?:ortal(?:Display(?:Re(?:freshMyRights|setPassword|gister)|GeneratePassword|PasswordPolicy)|ErrorOn(?:ExpiredSession|MailNotFound)|(?:CheckLogin|Statu)s|OpenLinkInNewWindow|ForceAuthn|AntiFrame)|roxyUseSoap)|l(?:dap(?:(?:Group(?:DecodeSearchedValu|Recursiv)|UsePasswordResetAttribut)e|(?:AllowResetExpired|Set)Password|ChangePasswordAsUser|PpolicyControl|ITDS)|oginHistoryEnabled)|c(?:a(?:ptcha_(?:register|login|mail)_enabled|sSrvMetaDataOptions(?:Gateway|Renew))|o(?:ntextSwitchingStopWithLogout|mpactConf|rsEnabled)|heck(?:State|User|XSS)|da)|no(?:tif(?:ication(?:Server(?:(?:POS|GE)T|DELETE)?|sExplorer)?|y(?:Deleted|Other))|AjaxHook)|i(?:ssuerDB(?:OpenID(?:Connect)?|SAML|CAS|Get)Activation|mpersonationSkipEmptyValues)|to(?:tp2f(?:UserCan(?:Chang|Remov)eKey|DisplayExistingSecret)|kenUseGlobalStorage)|u(?:se(?:RedirectOn(?:Forbidden|Error)|SafeJail)|2fUserCanRemoveKey|pgradeSession)|re(?:st(?:(?:Password|Session|Config|Auth)Server|ExportSecretKeys)|freshSessions)|br(?:uteForceProtection(?:IncrementalTempo)?|owsersDontStorePassword)|(?:mai(?:lOnPasswordChang|ntenanc)|vhostMaintenanc)e|d(?:isablePersistentStorage|biDynamicHashEnabled)|g(?:roupsBeforeMacros|lobalLogoutTimer)|h(?:ideOldPassword|ttpOnly)|yubikey2fUserCanRemoveKey|(?:activeTim|wsdlServ)er|krb(?:RemoveDomain|ByJs))$/;
|
our $boolKeys = qr/^(?:s(?:aml(?:IDP(?:MetaDataOptions(?:(?:Check(?:S[LS]OMessageSignatur|Audienc|Tim)|IsPassiv)e|A(?:llow(?:LoginFromIDP|ProxiedAuthn)|daptSessionUtime)|Force(?:Authn|UTF8)|StoreSAMLToken|RelayStateURL)|SSODescriptorWantAuthnRequestsSigned)|S(?:P(?:MetaDataOptions(?:(?:CheckS[LS]OMessageSignatur|OneTimeUs)e|EnableIDPInitiatedURL|ForceUTF8)|SSODescriptor(?:WantAssertion|AuthnRequest)sSigned)|erviceUseCertificateInResponse)|DiscoveryProtocol(?:Activation|IsPassive)|CommonDomainCookieActivation|UseQueryStringSpecific|MetadataForceUTF8)|f(?:RemovedUseNotif|OnlyUpgrade)|kip(?:Upgrade|Renew)Confirmation|oap(?:Session|Config)Server|t(?:ayConnecte|orePasswor)d|laveDisplayLogo|howLanguages|slByAjax)|o(?:idc(?:RPMetaDataOptions(?:Allow(?:PasswordGrant|Offline)|Re(?:freshToken|quirePKCE)|LogoutSessionRequired|IDTokenForceClaims|BypassConsent|Public)|ServiceAllow(?:(?:AuthorizationCode|Implicit|Hybrid)Flow|DynamicRegistration)|OPMetaDataOptions(?:(?:CheckJWTSignatur|UseNonc)e|StoreIDToken))|ldNotifFormat)|p(?:ortal(?:Display(?:Re(?:freshMyRights|setPassword|gister)|GeneratePassword|PasswordPolicy)|ErrorOn(?:ExpiredSession|MailNotFound)|(?:CheckLogin|Statu)s|OpenLinkInNewWindow|ForceAuthn|AntiFrame)|roxyUseSoap)|l(?:dap(?:(?:Group(?:DecodeSearchedValu|Recursiv)|UsePasswordResetAttribut)e|(?:AllowResetExpired|Set)Password|ChangePasswordAsUser|PpolicyControl|ITDS)|oginHistoryEnabled)|c(?:a(?:ptcha_(?:register|login|mail)_enabled|sSrvMetaDataOptions(?:Gateway|Renew))|o(?:ntextSwitchingStopWithLogout|mpactConf|rsEnabled)|heck(?:State|User|XSS)|da)|no(?:tif(?:ication(?:Server(?:(?:POS|GE)T|DELETE)?|sExplorer)?|y(?:Deleted|Other))|AjaxHook)|i(?:ssuerDB(?:OpenID(?:Connect)?|SAML|CAS|Get)Activation|mpersonationSkipEmptyValues)|to(?:tp2f(?:UserCan(?:Chang|Remov)eKey|DisplayExistingSecret)|kenUseGlobalStorage)|u(?:se(?:RedirectOn(?:Forbidden|Error)|SafeJail)|2fUserCanRemoveKey|pgradeSession)|re(?:st(?:(?:Password|Session|Config|Auth)Server|ExportSecretKeys)|freshSessions)|br(?:uteForceProtection(?:IncrementalTempo)?|owsersDontStorePassword)|(?:mai(?:lOnPasswordChang|ntenanc)|vhostMaintenanc)e|d(?:isablePersistentStorage|biDynamicHashEnabled)|g(?:roupsBeforeMacros|lobalLogoutTimer)|h(?:ideOldPassword|ttpOnly)|yubikey2fUserCanRemoveKey|(?:activeTim|wsdlServ)er|krb(?:RemoveDomain|ByJs))$/;
|
||||||
|
|
||||||
our @sessionTypes = ( 'remoteGlobal', 'global', 'localSession', 'persistent', 'saml', 'oidc', 'cas' );
|
our @sessionTypes = ( 'remoteGlobal', 'global', 'localSession', 'persistent', 'saml', 'oidc', 'cas' );
|
||||||
|
|
||||||
|
|
|
@ -144,6 +144,7 @@ sub defaultValues {
|
||||||
'ldapServer' => 'ldap://localhost',
|
'ldapServer' => 'ldap://localhost',
|
||||||
'ldapTimeout' => 120,
|
'ldapTimeout' => 120,
|
||||||
'ldapUsePasswordResetAttribute' => 1,
|
'ldapUsePasswordResetAttribute' => 1,
|
||||||
|
'ldapVerify' => 'require',
|
||||||
'ldapVersion' => 3,
|
'ldapVersion' => 3,
|
||||||
'linkedInAuthnLevel' => 1,
|
'linkedInAuthnLevel' => 1,
|
||||||
'linkedInFields' => 'id,first-name,last-name,email-address',
|
'linkedInFields' => 'id,first-name,last-name,email-address',
|
||||||
|
|
|
@ -6,7 +6,7 @@ use Mouse;
|
||||||
use Lemonldap::NG::Common::Conf::Constants;
|
use Lemonldap::NG::Common::Conf::Constants;
|
||||||
use Lemonldap::NG::Common::Conf::ReConstants;
|
use Lemonldap::NG::Common::Conf::ReConstants;
|
||||||
|
|
||||||
our $VERSION = '2.0.8';
|
our $VERSION = '2.0.9';
|
||||||
|
|
||||||
extends 'Lemonldap::NG::Common::Conf::AccessLib';
|
extends 'Lemonldap::NG::Common::Conf::AccessLib';
|
||||||
|
|
||||||
|
|
|
@ -24,12 +24,12 @@ our $specialNodeHash = {
|
||||||
our $doubleHashKeys = 'issuerDBGetParameters';
|
our $doubleHashKeys = 'issuerDBGetParameters';
|
||||||
our $simpleHashKeys = '(?:(?:l(?:o(?:calSessionStorageOption|goutService)|dapExportedVar|wp(?:Ssl)?Opt)|c(?:as(?:StorageOption|Attribute)|ustom(?:Plugins|Add)Param|ombModule)|re(?:moteGlobalStorageOption|st2f(?:Verify|Init)Arg|loadUrl)|(?:(?:d(?:emo|bi)|facebook|webID)E|e)xportedVar|g(?:r(?:antSessionRule|oup)|lobalStorageOption)|n(?:otificationStorageOption|ginxCustomHandler)|p(?:ersistentStorageOption|ortalSkinRule)|macro)s|o(?:idcS(?:ervice(?:DynamicRegistrationEx(?:portedVar|traClaim)s|MetaDataAuthnContext)|torageOptions)|penIdExportedVars)|s(?:(?:amlStorageOption|laveExportedVar)s|essionDataToRemember|fExtra)|a(?:ut(?:hChoiceMod|oSigninR)ules|pplicationList)|S(?:MTPTLSOpts|SLVarIf))';
|
our $simpleHashKeys = '(?:(?:l(?:o(?:calSessionStorageOption|goutService)|dapExportedVar|wp(?:Ssl)?Opt)|c(?:as(?:StorageOption|Attribute)|ustom(?:Plugins|Add)Param|ombModule)|re(?:moteGlobalStorageOption|st2f(?:Verify|Init)Arg|loadUrl)|(?:(?:d(?:emo|bi)|facebook|webID)E|e)xportedVar|g(?:r(?:antSessionRule|oup)|lobalStorageOption)|n(?:otificationStorageOption|ginxCustomHandler)|p(?:ersistentStorageOption|ortalSkinRule)|macro)s|o(?:idcS(?:ervice(?:DynamicRegistrationEx(?:portedVar|traClaim)s|MetaDataAuthnContext)|torageOptions)|penIdExportedVars)|s(?:(?:amlStorageOption|laveExportedVar)s|essionDataToRemember|fExtra)|a(?:ut(?:hChoiceMod|oSigninR)ules|pplicationList)|S(?:MTPTLSOpts|SLVarIf))';
|
||||||
our $specialNodeKeys = '(?:(?:(?:saml(?:ID|S)|oidc[OR])P|cas(?:App|Srv))MetaDataNode|virtualHost)s';
|
our $specialNodeKeys = '(?:(?:(?:saml(?:ID|S)|oidc[OR])P|cas(?:App|Srv))MetaDataNode|virtualHost)s';
|
||||||
our $casAppMetaDataNodeKeys = 'casAppMetaData(?:Options(?:UserAttribut|Servic|Rul)e|(?:ExportedVar|Macro)s)';
|
our $casAppMetaDataNodeKeys = 'casAppMetaData(?:Options(?:(?:UserAttribut|Servic|Rul)e|AuthnLevel)|(?:ExportedVar|Macro)s)';
|
||||||
our $casSrvMetaDataNodeKeys = 'casSrvMetaData(?:Options(?:ProxiedServices|DisplayName|SortNumber|Gateway|Renew|Icon|Url)|ExportedVars)';
|
our $casSrvMetaDataNodeKeys = 'casSrvMetaData(?:Options(?:ProxiedServices|DisplayName|SortNumber|Gateway|Renew|Icon|Url)|ExportedVars)';
|
||||||
our $oidcOPMetaDataNodeKeys = 'oidcOPMetaData(?:Options(?:C(?:lient(?:Secret|ID)|heckJWTSignature|onfigurationURI)|S(?:toreIDToken|ortNumber|cope)|TokenEndpointAuthMethod|(?:JWKSTimeou|Promp)t|I(?:DTokenMaxAge|con)|U(?:iLocales|seNonce)|Display(?:Name)?|AcrValues|MaxAge)|ExportedVars|J(?:SON|WKS))';
|
our $oidcOPMetaDataNodeKeys = 'oidcOPMetaData(?:Options(?:C(?:lient(?:Secret|ID)|heckJWTSignature|onfigurationURI)|S(?:toreIDToken|ortNumber|cope)|TokenEndpointAuthMethod|(?:JWKSTimeou|Promp)t|I(?:DTokenMaxAge|con)|U(?:iLocales|seNonce)|Display(?:Name)?|AcrValues|MaxAge)|ExportedVars|J(?:SON|WKS))';
|
||||||
our $oidcRPMetaDataNodeKeys = 'oidcRPMetaData(?:Options(?:A(?:(?:uthorizationCode|ccessToken)Expiration|llow(?:PasswordGrant|Offline)|dditionalAudiences)|I(?:DToken(?:ForceClaims|Expiration|SignAlg)|con)|R(?:e(?:directUris|freshToken|quirePKCE)|ule)|Logout(?:SessionRequired|Type|Url)|P(?:ostLogoutRedirectUris|ublic)|OfflineSessionExpiration|Client(?:Secret|ID)|BypassConsent|DisplayName|ExtraClaims|UserIDAttr)|(?:ExportedVar|Macro)s)';
|
our $oidcRPMetaDataNodeKeys = 'oidcRPMetaData(?:Options(?:A(?:uth(?:orizationCodeExpiration|nLevel)|llow(?:PasswordGrant|Offline)|ccessTokenExpiration|dditionalAudiences)|I(?:DToken(?:ForceClaims|Expiration|SignAlg)|con)|R(?:e(?:directUris|freshToken|quirePKCE)|ule)|Logout(?:SessionRequired|Type|Url)|P(?:ostLogoutRedirectUris|ublic)|OfflineSessionExpiration|Client(?:Secret|ID)|BypassConsent|DisplayName|ExtraClaims|UserIDAttr)|(?:ExportedVar|Macro)s)';
|
||||||
our $samlIDPMetaDataNodeKeys = 'samlIDPMetaData(?:Options(?:(?:Check(?:S[LS]OMessageSignatur|Audienc|Tim)|EncryptionMod|UserAttribut|DisplayNam)e|S(?:ignS[LS]OMessage|toreSAMLToken|[LS]OBinding|ortNumber)|A(?:llow(?:LoginFromIDP|ProxiedAuthn)|daptSessionUtime)|Re(?:questedAuthnContext|solutionRule|layStateURL)|Force(?:Authn|UTF8)|I(?:sPassive|con)|NameIDFormat)|ExportedAttributes|XML)';
|
our $samlIDPMetaDataNodeKeys = 'samlIDPMetaData(?:Options(?:(?:Check(?:S[LS]OMessageSignatur|Audienc|Tim)|EncryptionMod|UserAttribut|DisplayNam)e|S(?:ignS[LS]OMessage|toreSAMLToken|[LS]OBinding|ortNumber)|A(?:llow(?:LoginFromIDP|ProxiedAuthn)|daptSessionUtime)|Re(?:questedAuthnContext|solutionRule|layStateURL)|Force(?:Authn|UTF8)|I(?:sPassive|con)|NameIDFormat)|ExportedAttributes|XML)';
|
||||||
our $samlSPMetaDataNodeKeys = 'samlSPMetaData(?:Options(?:N(?:ameID(?:SessionKey|Format)|otOnOrAfterTimeout)|S(?:essionNotOnOrAfterTimeout|ignS[LS]OMessage)|(?:CheckS[LS]OMessageSignatur|OneTimeUs|Rul)e|En(?:ableIDPInitiatedURL|cryptionMode)|ForceUTF8)|(?:ExportedAttribute|Macro)s|XML)';
|
our $samlSPMetaDataNodeKeys = 'samlSPMetaData(?:Options(?:N(?:ameID(?:SessionKey|Format)|otOnOrAfterTimeout)|S(?:essionNotOnOrAfterTimeout|ignS[LS]OMessage)|(?:CheckS[LS]OMessageSignatur|OneTimeUs|Rul)e|En(?:ableIDPInitiatedURL|cryptionMode)|AuthnLevel|ForceUTF8)|(?:ExportedAttribute|Macro)s|XML)';
|
||||||
our $virtualHostKeys = '(?:vhost(?:A(?:uthnLevel|liases)|(?:Maintenanc|Typ)e|ServiceTokenTTL|Https|Port)|(?:exportedHeader|locationRule)s|post)';
|
our $virtualHostKeys = '(?:vhost(?:A(?:uthnLevel|liases)|(?:Maintenanc|Typ)e|ServiceTokenTTL|Https|Port)|(?:exportedHeader|locationRule)s|post)';
|
||||||
|
|
||||||
our $authParameters = {
|
our $authParameters = {
|
||||||
|
@ -45,7 +45,7 @@ our $authParameters = {
|
||||||
githubParams => [qw(githubAuthnLevel githubClientID githubClientSecret githubUserField githubScope)],
|
githubParams => [qw(githubAuthnLevel githubClientID githubClientSecret githubUserField githubScope)],
|
||||||
gpgParams => [qw(gpgAuthnLevel gpgDb)],
|
gpgParams => [qw(gpgAuthnLevel gpgDb)],
|
||||||
kerberosParams => [qw(krbAuthnLevel krbKeytab krbByJs krbRemoveDomain)],
|
kerberosParams => [qw(krbAuthnLevel krbKeytab krbByJs krbRemoveDomain)],
|
||||||
ldapParams => [qw(ldapAuthnLevel ldapExportedVars ldapServer ldapPort ldapBase managerDn managerPassword ldapTimeout ldapVersion ldapRaw LDAPFilter AuthLDAPFilter mailLDAPFilter ldapSearchDeref ldapGroupBase ldapGroupObjectClass ldapGroupAttributeName ldapGroupAttributeNameUser ldapGroupAttributeNameSearch ldapGroupDecodeSearchedValue ldapGroupRecursive ldapGroupAttributeNameGroup ldapPpolicyControl ldapSetPassword ldapChangePasswordAsUser ldapPwdEnc ldapUsePasswordResetAttribute ldapPasswordResetAttribute ldapPasswordResetAttributeValue ldapAllowResetExpiredPassword ldapITDS)],
|
ldapParams => [qw(ldapAuthnLevel ldapExportedVars ldapServer ldapPort ldapVerify ldapBase managerDn managerPassword ldapTimeout ldapVersion ldapRaw ldapCAFile ldapCAPath LDAPFilter AuthLDAPFilter mailLDAPFilter ldapSearchDeref ldapGroupBase ldapGroupObjectClass ldapGroupAttributeName ldapGroupAttributeNameUser ldapGroupAttributeNameSearch ldapGroupDecodeSearchedValue ldapGroupRecursive ldapGroupAttributeNameGroup ldapPpolicyControl ldapSetPassword ldapChangePasswordAsUser ldapPwdEnc ldapUsePasswordResetAttribute ldapPasswordResetAttribute ldapPasswordResetAttributeValue ldapAllowResetExpiredPassword ldapITDS)],
|
||||||
linkedinParams => [qw(linkedInAuthnLevel linkedInClientID linkedInClientSecret linkedInFields linkedInUserField linkedInScope)],
|
linkedinParams => [qw(linkedInAuthnLevel linkedInClientID linkedInClientSecret linkedInFields linkedInUserField linkedInScope)],
|
||||||
nullParams => [qw(nullAuthnLevel)],
|
nullParams => [qw(nullAuthnLevel)],
|
||||||
oidcParams => [qw(oidcAuthnLevel oidcRPCallbackGetParam oidcRPStateTimeout)],
|
oidcParams => [qw(oidcAuthnLevel oidcRPCallbackGetParam oidcRPStateTimeout)],
|
||||||
|
|
|
@ -14,7 +14,7 @@ use MIME::Base64;
|
||||||
use Safe;
|
use Safe;
|
||||||
use Encode;
|
use Encode;
|
||||||
|
|
||||||
our $VERSION = '2.0.3';
|
our $VERSION = '2.0.9';
|
||||||
|
|
||||||
my $dataStart = tell(DATA);
|
my $dataStart = tell(DATA);
|
||||||
|
|
||||||
|
|
|
@ -23,8 +23,43 @@ sub import {
|
||||||
}
|
}
|
||||||
|
|
||||||
has ldapServer => (
|
has ldapServer => (
|
||||||
is => 'ro',
|
is => 'ro',
|
||||||
required => 1,
|
lazy => 1,
|
||||||
|
default => sub {
|
||||||
|
$_[0]->conf->{ldapServer};
|
||||||
|
}
|
||||||
|
);
|
||||||
|
|
||||||
|
has ldapPort => (
|
||||||
|
is => 'ro',
|
||||||
|
lazy => 1,
|
||||||
|
default => sub {
|
||||||
|
$_[0]->conf->{ldapPort};
|
||||||
|
}
|
||||||
|
);
|
||||||
|
|
||||||
|
has ldapCAFile => (
|
||||||
|
is => 'ro',
|
||||||
|
lazy => 1,
|
||||||
|
default => sub {
|
||||||
|
$_[0]->conf->{ldapCAFile};
|
||||||
|
}
|
||||||
|
);
|
||||||
|
|
||||||
|
has ldapCAPath => (
|
||||||
|
is => 'ro',
|
||||||
|
lazy => 1,
|
||||||
|
default => sub {
|
||||||
|
$_[0]->conf->{ldapCAPath};
|
||||||
|
}
|
||||||
|
);
|
||||||
|
|
||||||
|
has ldapVerify => (
|
||||||
|
is => 'ro',
|
||||||
|
lazy => 1,
|
||||||
|
default => sub {
|
||||||
|
$_[0]->conf->{ldapVerify};
|
||||||
|
}
|
||||||
);
|
);
|
||||||
|
|
||||||
has ldapConfBase => (
|
has ldapConfBase => (
|
||||||
|
@ -40,8 +75,7 @@ has ldapBindDN => (
|
||||||
is => 'ro',
|
is => 'ro',
|
||||||
lazy => 1,
|
lazy => 1,
|
||||||
default => sub {
|
default => sub {
|
||||||
$_[0]->p->logger->warn('Warning: "ldapBindDN" parameter is not set');
|
$_[0]->conf->{managerDn};
|
||||||
return '';
|
|
||||||
}
|
}
|
||||||
);
|
);
|
||||||
|
|
||||||
|
@ -49,9 +83,7 @@ has ldapBindPassword => (
|
||||||
is => 'ro',
|
is => 'ro',
|
||||||
lazy => 1,
|
lazy => 1,
|
||||||
default => sub {
|
default => sub {
|
||||||
$_[0]
|
$_[0]->conf->{managerPassword};
|
||||||
->p->logger->warn('Warning: "ldapBindPassword" parameter is not set');
|
|
||||||
return '';
|
|
||||||
}
|
}
|
||||||
);
|
);
|
||||||
|
|
||||||
|
@ -439,7 +471,7 @@ sub _ldap {
|
||||||
my $useTls = 0;
|
my $useTls = 0;
|
||||||
my $tlsParam;
|
my $tlsParam;
|
||||||
my @servers = ();
|
my @servers = ();
|
||||||
foreach my $server ( split /[\s,]+/, $self->{ldapServer} ) {
|
foreach my $server ( split /[\s,]+/, $self->ldapServer ) {
|
||||||
if ( $server =~ m{^ldap\+tls://([^/]+)/?\??(.*)$} ) {
|
if ( $server =~ m{^ldap\+tls://([^/]+)/?\??(.*)$} ) {
|
||||||
$useTls = 1;
|
$useTls = 1;
|
||||||
$server = $1;
|
$server = $1;
|
||||||
|
@ -455,18 +487,35 @@ sub _ldap {
|
||||||
my $ldap = Net::LDAP->new(
|
my $ldap = Net::LDAP->new(
|
||||||
\@servers,
|
\@servers,
|
||||||
onerror => undef,
|
onerror => undef,
|
||||||
( $self->{ldapPort} ? ( port => $self->{ldapPort} ) : () ),
|
( $self->ldapPort ? ( port => $self->ldapPort ) : () ),
|
||||||
|
( $self->ldapVerify ? ( verify => $self->ldapVerify ) : () ),
|
||||||
|
( $self->ldapCAFile ? ( cafile => $self->ldapCAFile ) : () ),
|
||||||
|
( $self->ldapCAPath ? ( capath => $self->ldapCAPath ) : () ),
|
||||||
);
|
);
|
||||||
|
|
||||||
unless ($ldap) {
|
unless ($ldap) {
|
||||||
|
use Data::Dumper;
|
||||||
die 'connexion failed: ' . $@;
|
die 'connexion failed: ' . $@;
|
||||||
}
|
}
|
||||||
|
elsif ( $Net::LDAP::VERSION < '0.64' ) {
|
||||||
|
|
||||||
|
# CentOS7 has a bug in which IO::Socket::SSL will return a broken
|
||||||
|
# socket when certificate validation fails. Net::LDAP does not catch
|
||||||
|
# it, and the process ends up crashing.
|
||||||
|
# As a precaution, make sure the underlying socket is doing fine:
|
||||||
|
if ( $ldap->socket->isa('IO::Socket::SSL')
|
||||||
|
and $ldap->socket->errstr < 0 )
|
||||||
|
{
|
||||||
|
die "SSL connection error: " . $ldap->socket->errstr;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
# Start TLS if needed
|
# Start TLS if needed
|
||||||
if ($useTls) {
|
if ($useTls) {
|
||||||
my %h = split( /[&=]/, $tlsParam );
|
my %h = split( /[&=]/, $tlsParam );
|
||||||
$h{cafile} = $self->{caFile} if ( $self->{caFile} );
|
$h{cafile} ||= $self->ldapCAFile if ( $self->ldapCAFile );
|
||||||
$h{capath} = $self->{caPath} if ( $self->{caPath} );
|
$h{capath} ||= $self->ldapCAPath if ( $self->ldapCAPath );
|
||||||
|
$h{verify} ||= $self->ldapVerify if ( $self->ldapVerify );
|
||||||
my $start_tls = $ldap->start_tls(%h);
|
my $start_tls = $ldap->start_tls(%h);
|
||||||
if ( $start_tls->code ) {
|
if ( $start_tls->code ) {
|
||||||
die 'tls failed: ' . $start_tls->error;
|
die 'tls failed: ' . $start_tls->error;
|
||||||
|
@ -475,7 +524,7 @@ sub _ldap {
|
||||||
|
|
||||||
# Bind with credentials
|
# Bind with credentials
|
||||||
my $bind =
|
my $bind =
|
||||||
$ldap->bind( $self->{ldapBindDN}, password => $self->{ldapBindPassword} );
|
$ldap->bind( $self->ldapBindDN, password => $self->ldapBindPassword );
|
||||||
if ( $bind->code ) {
|
if ( $bind->code ) {
|
||||||
die 'bind failed: ' . $bind->error;
|
die 'bind failed: ' . $bind->error;
|
||||||
}
|
}
|
||||||
|
|
|
@ -6,7 +6,7 @@ use JSON;
|
||||||
use Lemonldap::NG::Common::PSGI::Constants;
|
use Lemonldap::NG::Common::PSGI::Constants;
|
||||||
use Lemonldap::NG::Common::PSGI::Request;
|
use Lemonldap::NG::Common::PSGI::Request;
|
||||||
|
|
||||||
our $VERSION = '2.0.8';
|
our $VERSION = '2.0.9';
|
||||||
|
|
||||||
our $_json = JSON->new->allow_nonref;
|
our $_json = JSON->new->allow_nonref;
|
||||||
|
|
||||||
|
|
|
@ -6,7 +6,7 @@
|
||||||
|
|
||||||
package Lemonldap::NG::Common::Session;
|
package Lemonldap::NG::Common::Session;
|
||||||
|
|
||||||
our $VERSION = '2.0.8';
|
our $VERSION = '2.0.9';
|
||||||
|
|
||||||
use Lemonldap::NG::Common::Apache::Session;
|
use Lemonldap::NG::Common::Apache::Session;
|
||||||
|
|
||||||
|
@ -123,12 +123,6 @@ sub BUILD {
|
||||||
$data = $self->_tie_session;
|
$data = $self->_tie_session;
|
||||||
}
|
}
|
||||||
|
|
||||||
# If session is created
|
|
||||||
# Then set session kind in session
|
|
||||||
if ( $creation and $self->kind ) {
|
|
||||||
$data->{_session_kind} = $self->kind;
|
|
||||||
}
|
|
||||||
|
|
||||||
if ( $self->{info} ) {
|
if ( $self->{info} ) {
|
||||||
foreach ( keys %{ $self->{info} } ) {
|
foreach ( keys %{ $self->{info} } ) {
|
||||||
next if ( $_ eq "_session_id" and $data->{_session_id} );
|
next if ( $_ eq "_session_id" and $data->{_session_id} );
|
||||||
|
@ -143,6 +137,12 @@ sub BUILD {
|
||||||
delete $self->{info};
|
delete $self->{info};
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# If session is created
|
||||||
|
# Then set session kind in session
|
||||||
|
if ( $creation and $self->kind ) {
|
||||||
|
$data->{_session_kind} = $self->kind;
|
||||||
|
}
|
||||||
|
|
||||||
# Load session data into object
|
# Load session data into object
|
||||||
if ($data) {
|
if ($data) {
|
||||||
if ( $self->kind and $data->{_session_kind} ) {
|
if ( $self->kind and $data->{_session_kind} ) {
|
||||||
|
|
|
@ -45,7 +45,7 @@
|
||||||
},
|
},
|
||||||
"requires" : {
|
"requires" : {
|
||||||
"LWP::UserAgent" : "0",
|
"LWP::UserAgent" : "0",
|
||||||
"Lemonldap::NG::Common" : "v2.0.8",
|
"Lemonldap::NG::Common" : "v2.0.9",
|
||||||
"Mouse" : "0",
|
"Mouse" : "0",
|
||||||
"URI" : "0"
|
"URI" : "0"
|
||||||
}
|
}
|
||||||
|
@ -60,6 +60,6 @@
|
||||||
],
|
],
|
||||||
"x_MailingList" : "mailto:lemonldap-ng-dev@ow2.org"
|
"x_MailingList" : "mailto:lemonldap-ng-dev@ow2.org"
|
||||||
},
|
},
|
||||||
"version" : "v2.0.8",
|
"version" : "v2.0.9",
|
||||||
"x_serialization_backend" : "JSON::PP version 4.02"
|
"x_serialization_backend" : "JSON::PP version 2.97001"
|
||||||
}
|
}
|
||||||
|
|
|
@ -30,7 +30,7 @@ recommends:
|
||||||
SOAP::Lite: '0'
|
SOAP::Lite: '0'
|
||||||
requires:
|
requires:
|
||||||
LWP::UserAgent: '0'
|
LWP::UserAgent: '0'
|
||||||
Lemonldap::NG::Common: v2.0.8
|
Lemonldap::NG::Common: v2.0.9
|
||||||
Mouse: '0'
|
Mouse: '0'
|
||||||
URI: '0'
|
URI: '0'
|
||||||
resources:
|
resources:
|
||||||
|
@ -38,5 +38,5 @@ resources:
|
||||||
X_twitter: https://twitter.com/lemonldapng
|
X_twitter: https://twitter.com/lemonldapng
|
||||||
homepage: http://lemonldap-ng.org/
|
homepage: http://lemonldap-ng.org/
|
||||||
license: http://opensource.org/licenses/GPL-2.0
|
license: http://opensource.org/licenses/GPL-2.0
|
||||||
version: v2.0.8
|
version: v2.0.9
|
||||||
x_serialization_backend: 'CPAN::Meta::YAML version 0.018'
|
x_serialization_backend: 'CPAN::Meta::YAML version 0.018'
|
||||||
|
|
|
@ -41,7 +41,7 @@ WriteMakefile(
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
PREREQ_PM => {
|
PREREQ_PM => {
|
||||||
'Lemonldap::NG::Common' => '2.0.8',
|
'Lemonldap::NG::Common' => '2.0.9',
|
||||||
'LWP::UserAgent' => 0,
|
'LWP::UserAgent' => 0,
|
||||||
'Mouse' => 0,
|
'Mouse' => 0,
|
||||||
'URI' => 0,
|
'URI' => 0,
|
||||||
|
|
|
@ -3,7 +3,7 @@ package Lemonldap::NG::Handler;
|
||||||
# Use the appropriate handler
|
# Use the appropriate handler
|
||||||
# For Apache, use Lemonldap::NG::Handler::ApacheMP2
|
# For Apache, use Lemonldap::NG::Handler::ApacheMP2
|
||||||
|
|
||||||
our $VERSION = '2.0.8';
|
our $VERSION = '2.0.9';
|
||||||
|
|
||||||
1;
|
1;
|
||||||
|
|
||||||
|
|
|
@ -18,6 +18,8 @@ sub portalConsts {
|
||||||
'10' => 'PE_BADCERTIFICATE',
|
'10' => 'PE_BADCERTIFICATE',
|
||||||
'100' => 'PE_PP_NOT_ALLOWED_CHARACTER',
|
'100' => 'PE_PP_NOT_ALLOWED_CHARACTER',
|
||||||
'101' => 'PE_PP_NOT_ALLOWED_CHARACTERS',
|
'101' => 'PE_PP_NOT_ALLOWED_CHARACTERS',
|
||||||
|
'102' => 'PE_UPGRADESESSION',
|
||||||
|
'103' => 'PE_NO_SECOND_FACTORS',
|
||||||
'2' => 'PE_FORMEMPTY',
|
'2' => 'PE_FORMEMPTY',
|
||||||
'21' => 'PE_PP_ACCOUNT_LOCKED',
|
'21' => 'PE_PP_ACCOUNT_LOCKED',
|
||||||
'22' => 'PE_PP_PASSWORD_EXPIRED',
|
'22' => 'PE_PP_PASSWORD_EXPIRED',
|
||||||
|
|
|
@ -265,17 +265,14 @@ sub checkMaintenanceMode {
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
## @rmethod boolean grant(string uri, string cond)
|
## @rmethod int getLevel(string uri, string $vhost)
|
||||||
# Grant or refuse client using compiled regexp and functions
|
# Return required authentication level for this URI
|
||||||
|
# default to vhost authentication level
|
||||||
# @param $uri URI
|
# @param $uri URI
|
||||||
# @param $cond optional Function granting access
|
# @param $vhost vhost name, default to current request
|
||||||
# @return True if the user is granted to access to the current URL
|
sub getLevel {
|
||||||
sub grant {
|
my ( $class, $req, $uri, $vhost ) = @_;
|
||||||
my ( $class, $req, $session, $uri, $cond, $vhost ) = @_;
|
|
||||||
my $level;
|
my $level;
|
||||||
|
|
||||||
return $cond->( $req, $session ) if ($cond);
|
|
||||||
|
|
||||||
$vhost ||= $class->resolveAlias($req);
|
$vhost ||= $class->resolveAlias($req);
|
||||||
|
|
||||||
# Using URL authentification level if exists
|
# Using URL authentification level if exists
|
||||||
|
@ -290,13 +287,33 @@ sub grant {
|
||||||
last;
|
last;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
$level
|
if ($level) {
|
||||||
? $class->logger->debug(
|
$class->logger->debug(
|
||||||
'Found AuthnLevel=' . $level . ' for "' . "$vhost$uri" . '"' )
|
'Found AuthnLevel=' . $level . ' for "' . "$vhost$uri" . '"' );
|
||||||
: $class->logger->debug("No URL authentication level found...");
|
return $level;
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
$class->logger->debug("No URL authentication level found...");
|
||||||
|
return $class->tsv->{authnLevel}->{$vhost};
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
## @rmethod boolean grant(string uri, string cond)
|
||||||
|
# Grant or refuse client using compiled regexp and functions
|
||||||
|
# @param $uri URI
|
||||||
|
# @param $cond optional Function granting access
|
||||||
|
# @return True if the user is granted to access to the current URL
|
||||||
|
sub grant {
|
||||||
|
my ( $class, $req, $session, $uri, $cond, $vhost ) = @_;
|
||||||
|
|
||||||
|
return $cond->( $req, $session ) if ($cond);
|
||||||
|
|
||||||
|
$vhost ||= $class->resolveAlias($req);
|
||||||
|
|
||||||
|
my $level = $class->getLevel( $req, $uri );
|
||||||
|
|
||||||
# Using VH authentification level if exists
|
# Using VH authentification level if exists
|
||||||
if ( $level ||= $class->tsv->{authnLevel}->{$vhost} ) {
|
if ($level) {
|
||||||
if ( $session->{authenticationLevel} < $level ) {
|
if ( $session->{authenticationLevel} < $level ) {
|
||||||
$class->logger->debug(
|
$class->logger->debug(
|
||||||
"User authentication level = $session->{authenticationLevel}");
|
"User authentication level = $session->{authenticationLevel}");
|
||||||
|
|
|
@ -40,8 +40,8 @@
|
||||||
"Convert::PEM" : "0",
|
"Convert::PEM" : "0",
|
||||||
"Crypt::OpenSSL::RSA" : "0",
|
"Crypt::OpenSSL::RSA" : "0",
|
||||||
"LWP::UserAgent" : "0",
|
"LWP::UserAgent" : "0",
|
||||||
"Lemonldap::NG::Common" : "v2.0.8",
|
"Lemonldap::NG::Common" : "v2.0.9",
|
||||||
"Lemonldap::NG::Handler" : "v2.0.8"
|
"Lemonldap::NG::Handler" : "v2.0.9"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
@ -54,6 +54,6 @@
|
||||||
],
|
],
|
||||||
"x_MailingList" : "mailto:lemonldap-ng-dev@ow2.org"
|
"x_MailingList" : "mailto:lemonldap-ng-dev@ow2.org"
|
||||||
},
|
},
|
||||||
"version" : "v2.0.8",
|
"version" : "v2.0.9",
|
||||||
"x_serialization_backend" : "JSON::PP version 4.02"
|
"x_serialization_backend" : "JSON::PP version 2.97001"
|
||||||
}
|
}
|
||||||
|
|
|
@ -25,12 +25,12 @@ requires:
|
||||||
Convert::PEM: '0'
|
Convert::PEM: '0'
|
||||||
Crypt::OpenSSL::RSA: '0'
|
Crypt::OpenSSL::RSA: '0'
|
||||||
LWP::UserAgent: '0'
|
LWP::UserAgent: '0'
|
||||||
Lemonldap::NG::Common: v2.0.8
|
Lemonldap::NG::Common: v2.0.9
|
||||||
Lemonldap::NG::Handler: v2.0.8
|
Lemonldap::NG::Handler: v2.0.9
|
||||||
resources:
|
resources:
|
||||||
MailingList: mailto:lemonldap-ng-dev@ow2.org
|
MailingList: mailto:lemonldap-ng-dev@ow2.org
|
||||||
X_twitter: https://twitter.com/lemonldapng
|
X_twitter: https://twitter.com/lemonldapng
|
||||||
homepage: http://lemonldap-ng.org/
|
homepage: http://lemonldap-ng.org/
|
||||||
license: http://opensource.org/licenses/GPL-2.0
|
license: http://opensource.org/licenses/GPL-2.0
|
||||||
version: v2.0.8
|
version: v2.0.9
|
||||||
x_serialization_backend: 'CPAN::Meta::YAML version 0.018'
|
x_serialization_backend: 'CPAN::Meta::YAML version 0.018'
|
||||||
|
|
|
@ -35,8 +35,8 @@ WriteMakefile(
|
||||||
PREREQ_PM => {
|
PREREQ_PM => {
|
||||||
'Convert::PEM' => 0,
|
'Convert::PEM' => 0,
|
||||||
'Crypt::OpenSSL::RSA' => 0,
|
'Crypt::OpenSSL::RSA' => 0,
|
||||||
'Lemonldap::NG::Common' => '2.0.8',
|
'Lemonldap::NG::Common' => '2.0.9',
|
||||||
'Lemonldap::NG::Handler' => '2.0.8',
|
'Lemonldap::NG::Handler' => '2.0.9',
|
||||||
'LWP::UserAgent' => 0,
|
'LWP::UserAgent' => 0,
|
||||||
}, # e.g., Module::Name => 1.1
|
}, # e.g., Module::Name => 1.1
|
||||||
(
|
(
|
||||||
|
|
|
@ -17,7 +17,7 @@ use JSON;
|
||||||
use Lemonldap::NG::Common::Conf::Constants;
|
use Lemonldap::NG::Common::Conf::Constants;
|
||||||
use Lemonldap::NG::Common::PSGI::Constants;
|
use Lemonldap::NG::Common::PSGI::Constants;
|
||||||
|
|
||||||
our $VERSION = '2.0.8';
|
our $VERSION = '2.0.9';
|
||||||
|
|
||||||
extends 'Lemonldap::NG::Common::Conf::AccessLib',
|
extends 'Lemonldap::NG::Common::Conf::AccessLib',
|
||||||
'Lemonldap::NG::Handler::PSGI::Router';
|
'Lemonldap::NG::Handler::PSGI::Router';
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
package Lemonldap::NG::Manager::Api::2F;
|
package Lemonldap::NG::Manager::Api::2F;
|
||||||
|
|
||||||
our $VERSION = '2.0.8';
|
our $VERSION = '2.0.9';
|
||||||
|
|
||||||
package Lemonldap::NG::Manager::Api;
|
package Lemonldap::NG::Manager::Api;
|
||||||
|
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
package Lemonldap::NG::Manager::Api::Common;
|
package Lemonldap::NG::Manager::Api::Common;
|
||||||
|
|
||||||
our $VERSION = '2.0.8';
|
our $VERSION = '2.0.9';
|
||||||
|
|
||||||
package Lemonldap::NG::Manager::Api;
|
package Lemonldap::NG::Manager::Api;
|
||||||
|
|
||||||
|
|
|
@ -1,9 +1,11 @@
|
||||||
# Miscenalleous endpoints
|
# Miscenalleous endpoints
|
||||||
package Lemonldap::NG::Manager::Api::Misc;
|
package Lemonldap::NG::Manager::Api::Misc;
|
||||||
|
|
||||||
our $VERSION = '2.0.8';
|
our $VERSION = '2.0.9';
|
||||||
|
|
||||||
package Lemonldap::NG::Manager::Api;
|
package Lemonldap::NG::Manager::Api;
|
||||||
|
|
||||||
|
use Mouse;
|
||||||
extends 'Lemonldap::NG::Manager::Api::Common';
|
extends 'Lemonldap::NG::Manager::Api::Common';
|
||||||
|
|
||||||
# Health-check endpoint
|
# Health-check endpoint
|
||||||
|
|
|
@ -713,6 +713,9 @@ sub attributes {
|
||||||
'casAppMetaDataOptions' => {
|
'casAppMetaDataOptions' => {
|
||||||
'type' => 'subContainer'
|
'type' => 'subContainer'
|
||||||
},
|
},
|
||||||
|
'casAppMetaDataOptionsAuthnLevel' => {
|
||||||
|
'type' => 'int'
|
||||||
|
},
|
||||||
'casAppMetaDataOptionsRule' => {
|
'casAppMetaDataOptionsRule' => {
|
||||||
'test' => sub {
|
'test' => sub {
|
||||||
return perlExpr(@_);
|
return perlExpr(@_);
|
||||||
|
@ -1581,6 +1584,12 @@ qr/^(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][-a-zA-Z0-
|
||||||
'test' => qr/^(?:\w+=.*|)$/,
|
'test' => qr/^(?:\w+=.*|)$/,
|
||||||
'type' => 'text'
|
'type' => 'text'
|
||||||
},
|
},
|
||||||
|
'ldapCAFile' => {
|
||||||
|
'type' => 'text'
|
||||||
|
},
|
||||||
|
'ldapCAPath' => {
|
||||||
|
'type' => 'text'
|
||||||
|
},
|
||||||
'ldapChangePasswordAsUser' => {
|
'ldapChangePasswordAsUser' => {
|
||||||
'default' => 0,
|
'default' => 0,
|
||||||
'type' => 'bool'
|
'type' => 'bool'
|
||||||
|
@ -1706,6 +1715,23 @@ m[^(?:ldapi://[^/]*/?|\w[\w\-\.]*(?::\d{1,5})?|ldap(?:s|\+tls)?://\w[\w\-\.]*(?:
|
||||||
'default' => 1,
|
'default' => 1,
|
||||||
'type' => 'bool'
|
'type' => 'bool'
|
||||||
},
|
},
|
||||||
|
'ldapVerify' => {
|
||||||
|
'default' => 'require',
|
||||||
|
'select' => [ {
|
||||||
|
'k' => 'none',
|
||||||
|
'v' => 'None'
|
||||||
|
},
|
||||||
|
{
|
||||||
|
'k' => 'optional',
|
||||||
|
'v' => 'Optional'
|
||||||
|
},
|
||||||
|
{
|
||||||
|
'k' => 'require',
|
||||||
|
'v' => 'Require'
|
||||||
|
}
|
||||||
|
],
|
||||||
|
'type' => 'select'
|
||||||
|
},
|
||||||
'ldapVersion' => {
|
'ldapVersion' => {
|
||||||
'default' => 3,
|
'default' => 3,
|
||||||
'type' => 'int'
|
'type' => 'int'
|
||||||
|
@ -2152,6 +2178,9 @@ m[^(?:ldapi://[^/]*/?|\w[\w\-\.]*(?::\d{1,5})?|ldap(?:s|\+tls)?://\w[\w\-\.]*(?:
|
||||||
'default' => 0,
|
'default' => 0,
|
||||||
'type' => 'bool'
|
'type' => 'bool'
|
||||||
},
|
},
|
||||||
|
'oidcRPMetaDataOptionsAuthnLevel' => {
|
||||||
|
'type' => 'int'
|
||||||
|
},
|
||||||
'oidcRPMetaDataOptionsAuthorizationCodeExpiration' => {
|
'oidcRPMetaDataOptionsAuthorizationCodeExpiration' => {
|
||||||
'type' => 'int'
|
'type' => 'int'
|
||||||
},
|
},
|
||||||
|
@ -3396,6 +3425,9 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.]
|
||||||
'keyTest' => qr/^[a-zA-Z](?:[a-zA-Z0-9_\-\.]*\w)?$/,
|
'keyTest' => qr/^[a-zA-Z](?:[a-zA-Z0-9_\-\.]*\w)?$/,
|
||||||
'type' => 'keyTextContainer'
|
'type' => 'keyTextContainer'
|
||||||
},
|
},
|
||||||
|
'samlSPMetaDataOptionsAuthnLevel' => {
|
||||||
|
'type' => 'int'
|
||||||
|
},
|
||||||
'samlSPMetaDataOptionsCheckSLOMessageSignature' => {
|
'samlSPMetaDataOptionsCheckSLOMessageSignature' => {
|
||||||
'default' => 1,
|
'default' => 1,
|
||||||
'type' => 'bool'
|
'type' => 'bool'
|
||||||
|
@ -3633,6 +3665,9 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.]
|
||||||
'default' => 1,
|
'default' => 1,
|
||||||
'type' => 'boolOrExpr'
|
'type' => 'boolOrExpr'
|
||||||
},
|
},
|
||||||
|
'sfOnlyUpgrade' => {
|
||||||
|
'type' => 'bool'
|
||||||
|
},
|
||||||
'sfRemovedMsgRule' => {
|
'sfRemovedMsgRule' => {
|
||||||
'default' => 0,
|
'default' => 0,
|
||||||
'type' => 'boolOrExpr'
|
'type' => 'boolOrExpr'
|
||||||
|
@ -3678,6 +3713,10 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.]
|
||||||
'default' => 0,
|
'default' => 0,
|
||||||
'type' => 'bool'
|
'type' => 'bool'
|
||||||
},
|
},
|
||||||
|
'skipUpgradeConfirmation' => {
|
||||||
|
'default' => 0,
|
||||||
|
'type' => 'bool'
|
||||||
|
},
|
||||||
'slaveAuthnLevel' => {
|
'slaveAuthnLevel' => {
|
||||||
'default' => 2,
|
'default' => 2,
|
||||||
'type' => 'int'
|
'type' => 'int'
|
||||||
|
|
|
@ -601,6 +601,12 @@ sub attributes {
|
||||||
documentation =>
|
documentation =>
|
||||||
'Avoid asking confirmation when an Issuer asks to renew auth',
|
'Avoid asking confirmation when an Issuer asks to renew auth',
|
||||||
},
|
},
|
||||||
|
skipUpgradeConfirmation => {
|
||||||
|
type => 'bool',
|
||||||
|
default => 0,
|
||||||
|
documentation =>
|
||||||
|
'Avoid asking confirmation during a session upgrade',
|
||||||
|
},
|
||||||
refreshSessions => {
|
refreshSessions => {
|
||||||
type => 'bool',
|
type => 'bool',
|
||||||
documentation => 'Refresh sessions plugin',
|
documentation => 'Refresh sessions plugin',
|
||||||
|
@ -2309,6 +2315,10 @@ sub attributes {
|
||||||
type => 'text',
|
type => 'text',
|
||||||
documentation => 'CAS User attribute',
|
documentation => 'CAS User attribute',
|
||||||
},
|
},
|
||||||
|
casAppMetaDataOptionsAuthnLevel => {
|
||||||
|
type => 'int',
|
||||||
|
documentation => 'Authentication level requires to access to this CAS application',
|
||||||
|
},
|
||||||
casAppMetaDataOptionsRule => {
|
casAppMetaDataOptionsRule => {
|
||||||
type => 'text',
|
type => 'text',
|
||||||
test => sub { return perlExpr(@_) },
|
test => sub { return perlExpr(@_) },
|
||||||
|
@ -2920,6 +2930,10 @@ sub attributes {
|
||||||
type => 'bool',
|
type => 'bool',
|
||||||
default => 1,
|
default => 1,
|
||||||
},
|
},
|
||||||
|
samlSPMetaDataOptionsAuthnLevel => {
|
||||||
|
type => 'int',
|
||||||
|
documentation => 'Authentication level requires to access to this SP',
|
||||||
|
},
|
||||||
samlSPMetaDataOptionsRule => {
|
samlSPMetaDataOptionsRule => {
|
||||||
type => 'text',
|
type => 'text',
|
||||||
test => sub { return perlExpr(@_) },
|
test => sub { return perlExpr(@_) },
|
||||||
|
@ -3015,6 +3029,11 @@ sub attributes {
|
||||||
help => 'secondfactor.html',
|
help => 'secondfactor.html',
|
||||||
documentation => 'Second factor required',
|
documentation => 'Second factor required',
|
||||||
},
|
},
|
||||||
|
sfOnlyUpgrade => {
|
||||||
|
type => 'bool',
|
||||||
|
help => 'secondfactor.html',
|
||||||
|
documentation => 'Only trigger second factor on session upgrade',
|
||||||
|
},
|
||||||
sfManagerRule => {
|
sfManagerRule => {
|
||||||
type => 'boolOrExpr',
|
type => 'boolOrExpr',
|
||||||
default => 1,
|
default => 1,
|
||||||
|
@ -3256,6 +3275,25 @@ m{^(?:ldapi://[^/]*/?|\w[\w\-\.]*(?::\d{1,5})?|ldap(?:s|\+tls)?://\w[\w\-\.]*(?:
|
||||||
type => 'bool',
|
type => 'bool',
|
||||||
documentation => 'Support for IBM Tivoli Directory Server',
|
documentation => 'Support for IBM Tivoli Directory Server',
|
||||||
},
|
},
|
||||||
|
ldapVerify => {
|
||||||
|
type => 'bool',
|
||||||
|
documentation => 'Whether to validate LDAP certificates',
|
||||||
|
type => "select",
|
||||||
|
select => [
|
||||||
|
{ k => 'none', v => 'None' },
|
||||||
|
{ k => 'optional', v => 'Optional' },
|
||||||
|
{ k => 'require', v => 'Require' },
|
||||||
|
],
|
||||||
|
default => 'require',
|
||||||
|
},
|
||||||
|
ldapCAFile => {
|
||||||
|
type => 'text',
|
||||||
|
documentation => 'Location of the certificate file for LDAP connections',
|
||||||
|
},
|
||||||
|
ldapCAPath => {
|
||||||
|
type => 'text',
|
||||||
|
documentation => 'Location of the CA directory for LDAP connections',
|
||||||
|
},
|
||||||
|
|
||||||
# SSL
|
# SSL
|
||||||
SSLAuthnLevel => {
|
SSLAuthnLevel => {
|
||||||
|
@ -4070,6 +4108,10 @@ m{^(?:ldapi://[^/]*/?|\w[\w\-\.]*(?::\d{1,5})?|ldap(?:s|\+tls)?://\w[\w\-\.]*(?:
|
||||||
default => 0,
|
default => 0,
|
||||||
documentation => 'Issue refresh tokens',
|
documentation => 'Issue refresh tokens',
|
||||||
},
|
},
|
||||||
|
oidcRPMetaDataOptionsAuthnLevel => {
|
||||||
|
type => 'int',
|
||||||
|
documentation => 'Authentication level requires to access to this RP',
|
||||||
|
},
|
||||||
oidcRPMetaDataOptionsRule => {
|
oidcRPMetaDataOptionsRule => {
|
||||||
type => 'text',
|
type => 'text',
|
||||||
test => sub { return perlExpr(@_) },
|
test => sub { return perlExpr(@_) },
|
||||||
|
|
|
@ -134,6 +134,7 @@ sub cTrees {
|
||||||
nodes => [
|
nodes => [
|
||||||
"samlSPMetaDataOptionsEncryptionMode",
|
"samlSPMetaDataOptionsEncryptionMode",
|
||||||
"samlSPMetaDataOptionsEnableIDPInitiatedURL",
|
"samlSPMetaDataOptionsEnableIDPInitiatedURL",
|
||||||
|
"samlSPMetaDataOptionsAuthnLevel",
|
||||||
"samlSPMetaDataOptionsRule",
|
"samlSPMetaDataOptionsRule",
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
@ -221,6 +222,7 @@ sub cTrees {
|
||||||
'oidcRPMetaDataOptionsRequirePKCE',
|
'oidcRPMetaDataOptionsRequirePKCE',
|
||||||
'oidcRPMetaDataOptionsAllowOffline',
|
'oidcRPMetaDataOptionsAllowOffline',
|
||||||
'oidcRPMetaDataOptionsAllowPasswordGrant',
|
'oidcRPMetaDataOptionsAllowPasswordGrant',
|
||||||
|
'oidcRPMetaDataOptionsAuthnLevel',
|
||||||
'oidcRPMetaDataOptionsRule',
|
'oidcRPMetaDataOptionsRule',
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
|
@ -286,6 +288,7 @@ sub cTrees {
|
||||||
nodes => [
|
nodes => [
|
||||||
'casAppMetaDataOptionsService',
|
'casAppMetaDataOptionsService',
|
||||||
'casAppMetaDataOptionsUserAttribute',
|
'casAppMetaDataOptionsUserAttribute',
|
||||||
|
'casAppMetaDataOptionsAuthnLevel',
|
||||||
'casAppMetaDataOptionsRule'
|
'casAppMetaDataOptionsRule'
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
|
|
|
@ -108,7 +108,9 @@ sub portalConstants {
|
||||||
PE_RESETCERTIFICATE_FORMEMPTY => 98,
|
PE_RESETCERTIFICATE_FORMEMPTY => 98,
|
||||||
PE_RESETCERTIFICATE_FIRSTACCESS => 99,
|
PE_RESETCERTIFICATE_FIRSTACCESS => 99,
|
||||||
PE_PP_NOT_ALLOWED_CHARACTER => 100,
|
PE_PP_NOT_ALLOWED_CHARACTER => 100,
|
||||||
PE_PP_NOT_ALLOWED_CHARACTERS => 101
|
PE_PP_NOT_ALLOWED_CHARACTERS => 101,
|
||||||
|
PE_UPGRADESESSION => 102,
|
||||||
|
PE_NO_SECOND_FACTORS => 103
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -265,10 +265,11 @@ sub tree {
|
||||||
help => 'authldap.html#connection',
|
help => 'authldap.html#connection',
|
||||||
form => 'simpleInputContainer',
|
form => 'simpleInputContainer',
|
||||||
nodes => [
|
nodes => [
|
||||||
'ldapServer', 'ldapPort',
|
'ldapServer', 'ldapPort',
|
||||||
'ldapBase', 'managerDn',
|
'ldapVerify', 'ldapBase',
|
||||||
'managerPassword', 'ldapTimeout',
|
'managerDn', 'managerPassword',
|
||||||
'ldapVersion', 'ldapRaw'
|
'ldapTimeout', 'ldapVersion',
|
||||||
|
'ldapRaw', 'ldapCAFile', 'ldapCAPath',
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
|
@ -959,6 +960,7 @@ sub tree {
|
||||||
'sfRemovedNotifMsg',
|
'sfRemovedNotifMsg',
|
||||||
],
|
],
|
||||||
},
|
},
|
||||||
|
'sfOnlyUpgrade',
|
||||||
'sfManagerRule',
|
'sfManagerRule',
|
||||||
'sfRequired',
|
'sfRequired',
|
||||||
]
|
]
|
||||||
|
@ -1067,6 +1069,7 @@ sub tree {
|
||||||
nodes => [
|
nodes => [
|
||||||
'jsRedirect', 'noAjaxHook',
|
'jsRedirect', 'noAjaxHook',
|
||||||
'skipRenewConfirmation',
|
'skipRenewConfirmation',
|
||||||
|
'skipUpgradeConfirmation',
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
'nginxCustomHandlers',
|
'nginxCustomHandlers',
|
||||||
|
|
|
@ -20,7 +20,7 @@ use feature 'state';
|
||||||
extends 'Lemonldap::NG::Manager::Plugin',
|
extends 'Lemonldap::NG::Manager::Plugin',
|
||||||
'Lemonldap::NG::Common::Conf::RESTServer';
|
'Lemonldap::NG::Common::Conf::RESTServer';
|
||||||
|
|
||||||
our $VERSION = '2.0.8';
|
our $VERSION = '2.0.9';
|
||||||
|
|
||||||
#############################
|
#############################
|
||||||
# I. INITIALIZATION METHODS #
|
# I. INITIALIZATION METHODS #
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
package Lemonldap::NG::Manager::Conf::Zero;
|
package Lemonldap::NG::Manager::Conf::Zero;
|
||||||
|
|
||||||
our $VERSION = '2.0.8';
|
our $VERSION = '2.0.9';
|
||||||
|
|
||||||
sub zeroConf {
|
sub zeroConf {
|
||||||
my ( $domain, $sessionDir, $persistentSessionDir, $notificationDir, $cacheDir ) = @_;
|
my ( $domain, $sessionDir, $persistentSessionDir, $notificationDir, $cacheDir ) = @_;
|
||||||
|
|
|
@ -48,6 +48,12 @@ function templates(tpl,key) {
|
||||||
"id" : tpl+"s/"+key+"/"+"casAppMetaDataOptionsUserAttribute",
|
"id" : tpl+"s/"+key+"/"+"casAppMetaDataOptionsUserAttribute",
|
||||||
"title" : "casAppMetaDataOptionsUserAttribute"
|
"title" : "casAppMetaDataOptionsUserAttribute"
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
"get" : tpl+"s/"+key+"/"+"casAppMetaDataOptionsAuthnLevel",
|
||||||
|
"id" : tpl+"s/"+key+"/"+"casAppMetaDataOptionsAuthnLevel",
|
||||||
|
"title" : "casAppMetaDataOptionsAuthnLevel",
|
||||||
|
"type" : "int"
|
||||||
|
},
|
||||||
{
|
{
|
||||||
"get" : tpl+"s/"+key+"/"+"casAppMetaDataOptionsRule",
|
"get" : tpl+"s/"+key+"/"+"casAppMetaDataOptionsRule",
|
||||||
"id" : tpl+"s/"+key+"/"+"casAppMetaDataOptionsRule",
|
"id" : tpl+"s/"+key+"/"+"casAppMetaDataOptionsRule",
|
||||||
|
@ -535,6 +541,12 @@ function templates(tpl,key) {
|
||||||
"title" : "oidcRPMetaDataOptionsAllowPasswordGrant",
|
"title" : "oidcRPMetaDataOptionsAllowPasswordGrant",
|
||||||
"type" : "bool"
|
"type" : "bool"
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
"get" : tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsAuthnLevel",
|
||||||
|
"id" : tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsAuthnLevel",
|
||||||
|
"title" : "oidcRPMetaDataOptionsAuthnLevel",
|
||||||
|
"type" : "int"
|
||||||
|
},
|
||||||
{
|
{
|
||||||
"get" : tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsRule",
|
"get" : tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsRule",
|
||||||
"id" : tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsRule",
|
"id" : tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsRule",
|
||||||
|
@ -1153,6 +1165,12 @@ function templates(tpl,key) {
|
||||||
"title" : "samlSPMetaDataOptionsEnableIDPInitiatedURL",
|
"title" : "samlSPMetaDataOptionsEnableIDPInitiatedURL",
|
||||||
"type" : "bool"
|
"type" : "bool"
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
"get" : tpl+"s/"+key+"/"+"samlSPMetaDataOptionsAuthnLevel",
|
||||||
|
"id" : tpl+"s/"+key+"/"+"samlSPMetaDataOptionsAuthnLevel",
|
||||||
|
"title" : "samlSPMetaDataOptionsAuthnLevel",
|
||||||
|
"type" : "int"
|
||||||
|
},
|
||||||
{
|
{
|
||||||
"get" : tpl+"s/"+key+"/"+"samlSPMetaDataOptionsRule",
|
"get" : tpl+"s/"+key+"/"+"samlSPMetaDataOptionsRule",
|
||||||
"id" : tpl+"s/"+key+"/"+"samlSPMetaDataOptionsRule",
|
"id" : tpl+"s/"+key+"/"+"samlSPMetaDataOptionsRule",
|
||||||
|
|
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
|
@ -122,6 +122,7 @@
|
||||||
"casAppMetaDataNodes":"تطبيق كاس",
|
"casAppMetaDataNodes":"تطبيق كاس",
|
||||||
"casAppMetaDataOptions":"خيارات",
|
"casAppMetaDataOptions":"خيارات",
|
||||||
"casAppMetaDataOptionsService":"خدمة أل يو أر ل",
|
"casAppMetaDataOptionsService":"خدمة أل يو أر ل",
|
||||||
|
"casAppMetaDataOptionsAuthnLevel":"مستوى إثبات الهوية",
|
||||||
"casAppMetaDataOptionsRule":"القاعدة",
|
"casAppMetaDataOptionsRule":"القاعدة",
|
||||||
"casAppMetaDataMacros":"ماكرو",
|
"casAppMetaDataMacros":"ماكرو",
|
||||||
"casAppMetaDataOptionsUserAttribute":"خاصّيّة المستخدم",
|
"casAppMetaDataOptionsUserAttribute":"خاصّيّة المستخدم",
|
||||||
|
@ -411,6 +412,8 @@
|
||||||
"ldapAllowResetExpiredPassword":"السماح بإعادة تعيين كلمة مرور منتهية الصلاحية",
|
"ldapAllowResetExpiredPassword":"السماح بإعادة تعيين كلمة مرور منتهية الصلاحية",
|
||||||
"ldapAuthnLevel":"مستوى إثبات الهوية",
|
"ldapAuthnLevel":"مستوى إثبات الهوية",
|
||||||
"ldapBase":"قاعدة بحث المستخدمين",
|
"ldapBase":"قاعدة بحث المستخدمين",
|
||||||
|
"ldapCAFile": "CA file path",
|
||||||
|
"ldapCAPath": "CA directory path",
|
||||||
"ldapChangePasswordAsUser":"تغيير كمستخدم",
|
"ldapChangePasswordAsUser":"تغيير كمستخدم",
|
||||||
"ldapConnection":"الاتصال",
|
"ldapConnection":"الاتصال",
|
||||||
"ldapExportedVars":"المتغيرات المصدرة",
|
"ldapExportedVars":"المتغيرات المصدرة",
|
||||||
|
@ -439,6 +442,7 @@
|
||||||
"ldapSetPassword":"تعديل كلمة المرور مع عملية موسعة",
|
"ldapSetPassword":"تعديل كلمة المرور مع عملية موسعة",
|
||||||
"ldapTimeout":"مهلة",
|
"ldapTimeout":"مهلة",
|
||||||
"ldapUsePasswordResetAttribute":"استخدام سمة إعادة الضبط",
|
"ldapUsePasswordResetAttribute":"استخدام سمة إعادة الضبط",
|
||||||
|
"ldapVerify":"Verify LDAP server certificate",
|
||||||
"ldapVersion":"الإصدار",
|
"ldapVersion":"الإصدار",
|
||||||
"level":"Level",
|
"level":"Level",
|
||||||
"linkedInAuthnLevel":"مستوى إثبات الهوية",
|
"linkedInAuthnLevel":"مستوى إثبات الهوية",
|
||||||
|
@ -593,6 +597,7 @@
|
||||||
"oidcOPMetaDataOptionsProtocol":"بروتوكول",
|
"oidcOPMetaDataOptionsProtocol":"بروتوكول",
|
||||||
"oidcRPMetaDataOptionsPublic":"Public client",
|
"oidcRPMetaDataOptionsPublic":"Public client",
|
||||||
"oidcRPMetaDataOptionsRequirePKCE":"Require PKCE",
|
"oidcRPMetaDataOptionsRequirePKCE":"Require PKCE",
|
||||||
|
"oidcRPMetaDataOptionsAuthnLevel":"مستوى إثبات الهوية",
|
||||||
"oidcRPMetaDataOptionsRule":"قاعدة الدخول",
|
"oidcRPMetaDataOptionsRule":"قاعدة الدخول",
|
||||||
"oidcRPMetaDataMacros":"ماكرو",
|
"oidcRPMetaDataMacros":"ماكرو",
|
||||||
"oidcOPMetaDataOptionsScope":"نطاق",
|
"oidcOPMetaDataOptionsScope":"نطاق",
|
||||||
|
@ -849,6 +854,7 @@
|
||||||
"sfaTitle":"Second factors authentication",
|
"sfaTitle":"Second factors authentication",
|
||||||
"sfExtra":"Additional second factors",
|
"sfExtra":"Additional second factors",
|
||||||
"sfManagerRule":"Display Manager link",
|
"sfManagerRule":"Display Manager link",
|
||||||
|
"sfOnlyUpgrade":"Use 2FA for session upgrade",
|
||||||
"sfRequired":"Force 2FA registration at login",
|
"sfRequired":"Force 2FA registration at login",
|
||||||
"sfRemovedNotification":"Warn if an expired 2FA is removed",
|
"sfRemovedNotification":"Warn if an expired 2FA is removed",
|
||||||
"sfRemovedMsgRule":"تفعيل",
|
"sfRemovedMsgRule":"تفعيل",
|
||||||
|
@ -864,6 +870,7 @@
|
||||||
"singleSession":"One session per user",
|
"singleSession":"One session per user",
|
||||||
"singleUserByIP":"مستخدم واحد لكل عنوان آي بي",
|
"singleUserByIP":"مستخدم واحد لكل عنوان آي بي",
|
||||||
"skipRenewConfirmation":"Skip re-auth confirmation",
|
"skipRenewConfirmation":"Skip re-auth confirmation",
|
||||||
|
"skipUpgradeConfirmation":"Skip upgrade confirmation",
|
||||||
"slaveAuthnLevel":"مستوى إثبات الهوية",
|
"slaveAuthnLevel":"مستوى إثبات الهوية",
|
||||||
"slaveDisplayLogo":"Display authentication logo",
|
"slaveDisplayLogo":"Display authentication logo",
|
||||||
"slaveExportedVars":"المتغيرات المصدرة",
|
"slaveExportedVars":"المتغيرات المصدرة",
|
||||||
|
@ -1076,6 +1083,7 @@
|
||||||
"samlSPMetaDataOptionsSessionNotOnOrAfterTimeout":"جلسة ليست مع أو بعد المدة",
|
"samlSPMetaDataOptionsSessionNotOnOrAfterTimeout":"جلسة ليست مع أو بعد المدة",
|
||||||
"samlSPMetaDataOptionsNotOnOrAfterTimeout":"ليس على أو بعد المدة",
|
"samlSPMetaDataOptionsNotOnOrAfterTimeout":"ليس على أو بعد المدة",
|
||||||
"samlSPMetaDataOptionsForceUTF8":"فرضUTF-8 ",
|
"samlSPMetaDataOptionsForceUTF8":"فرضUTF-8 ",
|
||||||
|
"samlSPMetaDataOptionsAuthnLevel":"مستوى إثبات الهوية",
|
||||||
"samlSPMetaDataOptionsRule":"قاعدة الدخول",
|
"samlSPMetaDataOptionsRule":"قاعدة الدخول",
|
||||||
"samlSPMetaDataMacros":"ماكرو",
|
"samlSPMetaDataMacros":"ماكرو",
|
||||||
"samlIDPName":"اسم SAML IDP",
|
"samlIDPName":"اسم SAML IDP",
|
||||||
|
@ -1143,4 +1151,4 @@
|
||||||
"samlRelayStateTimeout":"تناوب حالة مهلة الجلسة ",
|
"samlRelayStateTimeout":"تناوب حالة مهلة الجلسة ",
|
||||||
"samlUseQueryStringSpecific":"استخدام أسلوب query_string المعين",
|
"samlUseQueryStringSpecific":"استخدام أسلوب query_string المعين",
|
||||||
"samlOverrideIDPEntityID":"Override Entity ID when acting as IDP"
|
"samlOverrideIDPEntityID":"Override Entity ID when acting as IDP"
|
||||||
}
|
}
|
||||||
|
|
|
@ -122,6 +122,7 @@
|
||||||
"casAppMetaDataNodes":"CAS Applikationen",
|
"casAppMetaDataNodes":"CAS Applikationen",
|
||||||
"casAppMetaDataOptions":"Optionen",
|
"casAppMetaDataOptions":"Optionen",
|
||||||
"casAppMetaDataOptionsService":"Service URL",
|
"casAppMetaDataOptionsService":"Service URL",
|
||||||
|
"casAppMetaDataOptionsAuthnLevel":"Authentication level",
|
||||||
"casAppMetaDataOptionsRule":"Regel",
|
"casAppMetaDataOptionsRule":"Regel",
|
||||||
"casAppMetaDataMacros":"Macros",
|
"casAppMetaDataMacros":"Macros",
|
||||||
"casAppMetaDataOptionsUserAttribute":"User attribute",
|
"casAppMetaDataOptionsUserAttribute":"User attribute",
|
||||||
|
@ -411,6 +412,8 @@
|
||||||
"ldapAllowResetExpiredPassword":"Allow to reset an expired password",
|
"ldapAllowResetExpiredPassword":"Allow to reset an expired password",
|
||||||
"ldapAuthnLevel":"Authentication level",
|
"ldapAuthnLevel":"Authentication level",
|
||||||
"ldapBase":"Users search base",
|
"ldapBase":"Users search base",
|
||||||
|
"ldapCAFile": "CA file path",
|
||||||
|
"ldapCAPath": "CA directory path",
|
||||||
"ldapChangePasswordAsUser":"Change as user",
|
"ldapChangePasswordAsUser":"Change as user",
|
||||||
"ldapConnection":"Connection",
|
"ldapConnection":"Connection",
|
||||||
"ldapExportedVars":"Exported variables",
|
"ldapExportedVars":"Exported variables",
|
||||||
|
@ -439,6 +442,7 @@
|
||||||
"ldapSetPassword":"Password modify extended operation",
|
"ldapSetPassword":"Password modify extended operation",
|
||||||
"ldapTimeout":"Timeout",
|
"ldapTimeout":"Timeout",
|
||||||
"ldapUsePasswordResetAttribute":"Use reset attribute",
|
"ldapUsePasswordResetAttribute":"Use reset attribute",
|
||||||
|
"ldapVerify":"Verify LDAP server certificate",
|
||||||
"ldapVersion":"Version",
|
"ldapVersion":"Version",
|
||||||
"level":"Level",
|
"level":"Level",
|
||||||
"linkedInAuthnLevel":"Authentication level",
|
"linkedInAuthnLevel":"Authentication level",
|
||||||
|
@ -593,6 +597,7 @@
|
||||||
"oidcOPMetaDataOptionsProtocol":"Protocol",
|
"oidcOPMetaDataOptionsProtocol":"Protocol",
|
||||||
"oidcRPMetaDataOptionsPublic":"Public client",
|
"oidcRPMetaDataOptionsPublic":"Public client",
|
||||||
"oidcRPMetaDataOptionsRequirePKCE":"Require PKCE",
|
"oidcRPMetaDataOptionsRequirePKCE":"Require PKCE",
|
||||||
|
"oidcRPMetaDataOptionsAuthnLevel":"Authentication level",
|
||||||
"oidcRPMetaDataOptionsRule":"Access rule",
|
"oidcRPMetaDataOptionsRule":"Access rule",
|
||||||
"oidcRPMetaDataMacros":"Macros",
|
"oidcRPMetaDataMacros":"Macros",
|
||||||
"oidcOPMetaDataOptionsScope":"Scope",
|
"oidcOPMetaDataOptionsScope":"Scope",
|
||||||
|
@ -849,6 +854,7 @@
|
||||||
"sfaTitle":"Second factors authentication",
|
"sfaTitle":"Second factors authentication",
|
||||||
"sfExtra":"Additional second factors",
|
"sfExtra":"Additional second factors",
|
||||||
"sfManagerRule":"Display Manager link",
|
"sfManagerRule":"Display Manager link",
|
||||||
|
"sfOnlyUpgrade":"Use 2FA for session upgrade",
|
||||||
"sfRequired":"Force 2FA registration at login",
|
"sfRequired":"Force 2FA registration at login",
|
||||||
"sfRemovedNotification":"Warn if an expired 2FA is removed",
|
"sfRemovedNotification":"Warn if an expired 2FA is removed",
|
||||||
"sfRemovedMsgRule":"Activation",
|
"sfRemovedMsgRule":"Activation",
|
||||||
|
@ -864,6 +870,7 @@
|
||||||
"singleSession":"One session per user",
|
"singleSession":"One session per user",
|
||||||
"singleUserByIP":"One user per IP address",
|
"singleUserByIP":"One user per IP address",
|
||||||
"skipRenewConfirmation":"Skip re-auth confirmation",
|
"skipRenewConfirmation":"Skip re-auth confirmation",
|
||||||
|
"skipUpgradeConfirmation":"Skip upgrade confirmation",
|
||||||
"slaveAuthnLevel":"Authentication level",
|
"slaveAuthnLevel":"Authentication level",
|
||||||
"slaveDisplayLogo":"Display authentication logo",
|
"slaveDisplayLogo":"Display authentication logo",
|
||||||
"slaveExportedVars":"Exported variables",
|
"slaveExportedVars":"Exported variables",
|
||||||
|
@ -1076,6 +1083,7 @@
|
||||||
"samlSPMetaDataOptionsSessionNotOnOrAfterTimeout":"sessionNotOnOrAfter duration",
|
"samlSPMetaDataOptionsSessionNotOnOrAfterTimeout":"sessionNotOnOrAfter duration",
|
||||||
"samlSPMetaDataOptionsNotOnOrAfterTimeout":"notOnOrAfter duration",
|
"samlSPMetaDataOptionsNotOnOrAfterTimeout":"notOnOrAfter duration",
|
||||||
"samlSPMetaDataOptionsForceUTF8":"Force UTF-8",
|
"samlSPMetaDataOptionsForceUTF8":"Force UTF-8",
|
||||||
|
"samlSPMetaDataOptionsAuthnLevel":"Authentication level",
|
||||||
"samlSPMetaDataOptionsRule":"Access rule",
|
"samlSPMetaDataOptionsRule":"Access rule",
|
||||||
"samlSPMetaDataMacros":"Macros",
|
"samlSPMetaDataMacros":"Macros",
|
||||||
"samlIDPName":"SAML IDP Name",
|
"samlIDPName":"SAML IDP Name",
|
||||||
|
@ -1143,4 +1151,4 @@
|
||||||
"samlRelayStateTimeout":"RelayState session timeout",
|
"samlRelayStateTimeout":"RelayState session timeout",
|
||||||
"samlUseQueryStringSpecific":"Use specific query_string method",
|
"samlUseQueryStringSpecific":"Use specific query_string method",
|
||||||
"samlOverrideIDPEntityID":"Override Entity ID when acting as IDP"
|
"samlOverrideIDPEntityID":"Override Entity ID when acting as IDP"
|
||||||
}
|
}
|
||||||
|
|
|
@ -122,6 +122,7 @@
|
||||||
"casAppMetaDataNodes":"CAS Applications",
|
"casAppMetaDataNodes":"CAS Applications",
|
||||||
"casAppMetaDataOptions":"Options",
|
"casAppMetaDataOptions":"Options",
|
||||||
"casAppMetaDataOptionsService":"Service URL",
|
"casAppMetaDataOptionsService":"Service URL",
|
||||||
|
"casAppMetaDataOptionsAuthnLevel":"Authentication level",
|
||||||
"casAppMetaDataOptionsRule":"Rule",
|
"casAppMetaDataOptionsRule":"Rule",
|
||||||
"casAppMetaDataMacros":"Macros",
|
"casAppMetaDataMacros":"Macros",
|
||||||
"casAppMetaDataOptionsUserAttribute":"User attribute",
|
"casAppMetaDataOptionsUserAttribute":"User attribute",
|
||||||
|
@ -411,6 +412,8 @@
|
||||||
"ldapAllowResetExpiredPassword":"Allow to reset an expired password",
|
"ldapAllowResetExpiredPassword":"Allow to reset an expired password",
|
||||||
"ldapAuthnLevel":"Authentication level",
|
"ldapAuthnLevel":"Authentication level",
|
||||||
"ldapBase":"Users search base",
|
"ldapBase":"Users search base",
|
||||||
|
"ldapCAFile": "CA file path",
|
||||||
|
"ldapCAPath": "CA directory path",
|
||||||
"ldapChangePasswordAsUser":"Change as user",
|
"ldapChangePasswordAsUser":"Change as user",
|
||||||
"ldapConnection":"Connection",
|
"ldapConnection":"Connection",
|
||||||
"ldapExportedVars":"Exported variables",
|
"ldapExportedVars":"Exported variables",
|
||||||
|
@ -439,6 +442,7 @@
|
||||||
"ldapSetPassword":"Password modify extended operation",
|
"ldapSetPassword":"Password modify extended operation",
|
||||||
"ldapTimeout":"Timeout",
|
"ldapTimeout":"Timeout",
|
||||||
"ldapUsePasswordResetAttribute":"Use reset attribute",
|
"ldapUsePasswordResetAttribute":"Use reset attribute",
|
||||||
|
"ldapVerify":"Verify LDAP server certificate",
|
||||||
"ldapVersion":"Version",
|
"ldapVersion":"Version",
|
||||||
"level":"Level",
|
"level":"Level",
|
||||||
"linkedInAuthnLevel":"Authentication level",
|
"linkedInAuthnLevel":"Authentication level",
|
||||||
|
@ -593,6 +597,7 @@
|
||||||
"oidcOPMetaDataOptionsProtocol":"Protocol",
|
"oidcOPMetaDataOptionsProtocol":"Protocol",
|
||||||
"oidcRPMetaDataOptionsPublic":"Public client",
|
"oidcRPMetaDataOptionsPublic":"Public client",
|
||||||
"oidcRPMetaDataOptionsRequirePKCE":"Require PKCE",
|
"oidcRPMetaDataOptionsRequirePKCE":"Require PKCE",
|
||||||
|
"oidcRPMetaDataOptionsAuthnLevel":"Authentication level",
|
||||||
"oidcRPMetaDataOptionsRule":"Access rule",
|
"oidcRPMetaDataOptionsRule":"Access rule",
|
||||||
"oidcRPMetaDataMacros":"Macros",
|
"oidcRPMetaDataMacros":"Macros",
|
||||||
"oidcOPMetaDataOptionsScope":"Scope",
|
"oidcOPMetaDataOptionsScope":"Scope",
|
||||||
|
@ -849,6 +854,7 @@
|
||||||
"sfaTitle":"Second factors authentication",
|
"sfaTitle":"Second factors authentication",
|
||||||
"sfExtra":"Additional second factors",
|
"sfExtra":"Additional second factors",
|
||||||
"sfManagerRule":"Display Manager link",
|
"sfManagerRule":"Display Manager link",
|
||||||
|
"sfOnlyUpgrade": "Use 2FA for session upgrade",
|
||||||
"sfRequired":"Force 2FA registration at login",
|
"sfRequired":"Force 2FA registration at login",
|
||||||
"sfRemovedNotification":"Warn if an expired 2FA is removed",
|
"sfRemovedNotification":"Warn if an expired 2FA is removed",
|
||||||
"sfRemovedMsgRule":"Activation",
|
"sfRemovedMsgRule":"Activation",
|
||||||
|
@ -864,6 +870,7 @@
|
||||||
"singleSession":"One session per user",
|
"singleSession":"One session per user",
|
||||||
"singleUserByIP":"One user per IP address",
|
"singleUserByIP":"One user per IP address",
|
||||||
"skipRenewConfirmation":"Skip re-auth confirmation",
|
"skipRenewConfirmation":"Skip re-auth confirmation",
|
||||||
|
"skipUpgradeConfirmation":"Skip upgrade confirmation",
|
||||||
"slaveAuthnLevel":"Authentication level",
|
"slaveAuthnLevel":"Authentication level",
|
||||||
"slaveDisplayLogo":"Display authentication logo",
|
"slaveDisplayLogo":"Display authentication logo",
|
||||||
"slaveExportedVars":"Exported variables",
|
"slaveExportedVars":"Exported variables",
|
||||||
|
@ -1076,6 +1083,7 @@
|
||||||
"samlSPMetaDataOptionsSessionNotOnOrAfterTimeout":"sessionNotOnOrAfter duration",
|
"samlSPMetaDataOptionsSessionNotOnOrAfterTimeout":"sessionNotOnOrAfter duration",
|
||||||
"samlSPMetaDataOptionsNotOnOrAfterTimeout":"notOnOrAfter duration",
|
"samlSPMetaDataOptionsNotOnOrAfterTimeout":"notOnOrAfter duration",
|
||||||
"samlSPMetaDataOptionsForceUTF8":"Force UTF-8",
|
"samlSPMetaDataOptionsForceUTF8":"Force UTF-8",
|
||||||
|
"samlSPMetaDataOptionsAuthnLevel":"Authentication level",
|
||||||
"samlSPMetaDataOptionsRule":"Access rule",
|
"samlSPMetaDataOptionsRule":"Access rule",
|
||||||
"samlSPMetaDataMacros":"Macros",
|
"samlSPMetaDataMacros":"Macros",
|
||||||
"samlIDPName":"SAML IDP Name",
|
"samlIDPName":"SAML IDP Name",
|
||||||
|
|
|
@ -122,6 +122,7 @@
|
||||||
"casAppMetaDataNodes":"Applications CAS",
|
"casAppMetaDataNodes":"Applications CAS",
|
||||||
"casAppMetaDataOptions":"Options",
|
"casAppMetaDataOptions":"Options",
|
||||||
"casAppMetaDataOptionsService":"URL du service",
|
"casAppMetaDataOptionsService":"URL du service",
|
||||||
|
"casAppMetaDataOptionsAuthnLevel":"Niveau d'authentification",
|
||||||
"casAppMetaDataOptionsRule":"Règle",
|
"casAppMetaDataOptionsRule":"Règle",
|
||||||
"casAppMetaDataMacros":"Macros",
|
"casAppMetaDataMacros":"Macros",
|
||||||
"casAppMetaDataOptionsUserAttribute":"Attribut de l'utilisateur",
|
"casAppMetaDataOptionsUserAttribute":"Attribut de l'utilisateur",
|
||||||
|
@ -411,6 +412,8 @@
|
||||||
"ldapAllowResetExpiredPassword":"Autoriser le changement de mot de passe expiré",
|
"ldapAllowResetExpiredPassword":"Autoriser le changement de mot de passe expiré",
|
||||||
"ldapAuthnLevel":"Niveau d'authentification",
|
"ldapAuthnLevel":"Niveau d'authentification",
|
||||||
"ldapBase":"Base de recherche des utilisateurs",
|
"ldapBase":"Base de recherche des utilisateurs",
|
||||||
|
"ldapCAFile": "Autorité de certification (fichier)",
|
||||||
|
"ldapCAPath": "Autorité de certification (répertoire)",
|
||||||
"ldapChangePasswordAsUser":"Changement en tant qu'utilisateur",
|
"ldapChangePasswordAsUser":"Changement en tant qu'utilisateur",
|
||||||
"ldapConnection":"Connexion",
|
"ldapConnection":"Connexion",
|
||||||
"ldapExportedVars":"Variables exportées",
|
"ldapExportedVars":"Variables exportées",
|
||||||
|
@ -439,6 +442,7 @@
|
||||||
"ldapSetPassword":"Opération étendue password modify",
|
"ldapSetPassword":"Opération étendue password modify",
|
||||||
"ldapTimeout":"Temps maximum d'inactivité",
|
"ldapTimeout":"Temps maximum d'inactivité",
|
||||||
"ldapUsePasswordResetAttribute":"Utiliser l'attribut de réinitialisation",
|
"ldapUsePasswordResetAttribute":"Utiliser l'attribut de réinitialisation",
|
||||||
|
"ldapVerify":"Vérifier le certificat du serveur LDAP",
|
||||||
"ldapVersion":"Version",
|
"ldapVersion":"Version",
|
||||||
"level":"Niveau",
|
"level":"Niveau",
|
||||||
"linkedInAuthnLevel":"Niveau d'authentification",
|
"linkedInAuthnLevel":"Niveau d'authentification",
|
||||||
|
@ -577,8 +581,8 @@
|
||||||
"oidcRPMetaDataOptionsTimeouts":"Expiration",
|
"oidcRPMetaDataOptionsTimeouts":"Expiration",
|
||||||
"oidcRPMetaDataOptionsAllowOffline":"Autoriser l'accès hors ligne",
|
"oidcRPMetaDataOptionsAllowOffline":"Autoriser l'accès hors ligne",
|
||||||
"oidcOPMetaDataOptionsCheckJWTSignature":"Vérifier la signature des jetons",
|
"oidcOPMetaDataOptionsCheckJWTSignature":"Vérifier la signature des jetons",
|
||||||
"oidcOPMetaDataOptionsClientID":"Identifiant",
|
"oidcOPMetaDataOptionsClientID":"ID client",
|
||||||
"oidcOPMetaDataOptionsClientSecret":"Mot de passe",
|
"oidcOPMetaDataOptionsClientSecret":"Secret client",
|
||||||
"oidcOPMetaDataOptionsConfiguration":"Configuration",
|
"oidcOPMetaDataOptionsConfiguration":"Configuration",
|
||||||
"oidcOPMetaDataOptionsConfigurationURI":"URI de la configuration",
|
"oidcOPMetaDataOptionsConfigurationURI":"URI de la configuration",
|
||||||
"oidcOPMetaDataOptionsDisplay":"Affichage",
|
"oidcOPMetaDataOptionsDisplay":"Affichage",
|
||||||
|
@ -593,6 +597,7 @@
|
||||||
"oidcOPMetaDataOptionsProtocol":"Protocole",
|
"oidcOPMetaDataOptionsProtocol":"Protocole",
|
||||||
"oidcRPMetaDataOptionsPublic":"Client public",
|
"oidcRPMetaDataOptionsPublic":"Client public",
|
||||||
"oidcRPMetaDataOptionsRequirePKCE":"PKCE requis",
|
"oidcRPMetaDataOptionsRequirePKCE":"PKCE requis",
|
||||||
|
"oidcRPMetaDataOptionsAuthnLevel":"Niveau d'authentification",
|
||||||
"oidcRPMetaDataOptionsRule":"Règle d'accès",
|
"oidcRPMetaDataOptionsRule":"Règle d'accès",
|
||||||
"oidcRPMetaDataMacros":"Macros",
|
"oidcRPMetaDataMacros":"Macros",
|
||||||
"oidcOPMetaDataOptionsScope":"Étendue",
|
"oidcOPMetaDataOptionsScope":"Étendue",
|
||||||
|
@ -609,8 +614,8 @@
|
||||||
"oidcRPMetaDataOptionsAllowPasswordGrant":"Autoriser le Password Grant OAuth2.0",
|
"oidcRPMetaDataOptionsAllowPasswordGrant":"Autoriser le Password Grant OAuth2.0",
|
||||||
"oidcRPMetaDataOptionsAuthorizationCodeExpiration":"Expiration des codes d'autorisation",
|
"oidcRPMetaDataOptionsAuthorizationCodeExpiration":"Expiration des codes d'autorisation",
|
||||||
"oidcRPMetaDataOptionsBypassConsent":"Contourner le consentement",
|
"oidcRPMetaDataOptionsBypassConsent":"Contourner le consentement",
|
||||||
"oidcRPMetaDataOptionsClientID":"Identifiant",
|
"oidcRPMetaDataOptionsClientID":"ID client",
|
||||||
"oidcRPMetaDataOptionsClientSecret":"Mot de passe",
|
"oidcRPMetaDataOptionsClientSecret":"Secret client",
|
||||||
"oidcRPMetaDataOptionsDisplay":"Affichage",
|
"oidcRPMetaDataOptionsDisplay":"Affichage",
|
||||||
"oidcRPMetaDataOptionsDisplayName":"Nom d'affichage",
|
"oidcRPMetaDataOptionsDisplayName":"Nom d'affichage",
|
||||||
"oidcRPMetaDataOptionsIcon":"Logo",
|
"oidcRPMetaDataOptionsIcon":"Logo",
|
||||||
|
@ -849,6 +854,7 @@
|
||||||
"sfaTitle":"Seconds facteurs d'authentification",
|
"sfaTitle":"Seconds facteurs d'authentification",
|
||||||
"sfExtra":"Seconds facteurs additionnels",
|
"sfExtra":"Seconds facteurs additionnels",
|
||||||
"sfManagerRule":"Afficher le lien du Gestionnaire",
|
"sfManagerRule":"Afficher le lien du Gestionnaire",
|
||||||
|
"sfOnlyUpgrade": "Utiliser le second facteur pour augmenter le niveau d'authentification",
|
||||||
"sfRequired":"Exiger l'enrôlement d'un SF à l'authentification",
|
"sfRequired":"Exiger l'enrôlement d'un SF à l'authentification",
|
||||||
"sfRemovedNotification":"Avertir si un SF expiré est supprimé",
|
"sfRemovedNotification":"Avertir si un SF expiré est supprimé",
|
||||||
"sfRemovedMsgRule":"Activation",
|
"sfRemovedMsgRule":"Activation",
|
||||||
|
@ -864,6 +870,7 @@
|
||||||
"singleSession":"Une seule session par utilisateur",
|
"singleSession":"Une seule session par utilisateur",
|
||||||
"singleUserByIP":"Un seul utilisateur par adresse IP",
|
"singleUserByIP":"Un seul utilisateur par adresse IP",
|
||||||
"skipRenewConfirmation":"Éviter la confirmation de ré-authentification",
|
"skipRenewConfirmation":"Éviter la confirmation de ré-authentification",
|
||||||
|
"skipUpgradeConfirmation":"Éviter la confirmation d'élévation du niveau d'authentification",
|
||||||
"slaveAuthnLevel":"Niveau d'authentification",
|
"slaveAuthnLevel":"Niveau d'authentification",
|
||||||
"slaveDisplayLogo":"Afficher le logo d'authentification",
|
"slaveDisplayLogo":"Afficher le logo d'authentification",
|
||||||
"slaveExportedVars":"Variables exportées",
|
"slaveExportedVars":"Variables exportées",
|
||||||
|
@ -1076,6 +1083,7 @@
|
||||||
"samlSPMetaDataOptionsSessionNotOnOrAfterTimeout":"Durée sessionNotOnOrAfter",
|
"samlSPMetaDataOptionsSessionNotOnOrAfterTimeout":"Durée sessionNotOnOrAfter",
|
||||||
"samlSPMetaDataOptionsNotOnOrAfterTimeout":"Durée notOnOrAfter",
|
"samlSPMetaDataOptionsNotOnOrAfterTimeout":"Durée notOnOrAfter",
|
||||||
"samlSPMetaDataOptionsForceUTF8":"Forcer l'UTF-8",
|
"samlSPMetaDataOptionsForceUTF8":"Forcer l'UTF-8",
|
||||||
|
"samlSPMetaDataOptionsAuthnLevel":"Niveau d'authentification",
|
||||||
"samlSPMetaDataOptionsRule":"Règle d'accès",
|
"samlSPMetaDataOptionsRule":"Règle d'accès",
|
||||||
"samlSPMetaDataMacros":"Macros",
|
"samlSPMetaDataMacros":"Macros",
|
||||||
"samlIDPName":"Nom du fournisseur d'identité SAML",
|
"samlIDPName":"Nom du fournisseur d'identité SAML",
|
||||||
|
|
|
@ -122,6 +122,7 @@
|
||||||
"casAppMetaDataNodes":"Applicazioni CAS",
|
"casAppMetaDataNodes":"Applicazioni CAS",
|
||||||
"casAppMetaDataOptions":"Opzioni",
|
"casAppMetaDataOptions":"Opzioni",
|
||||||
"casAppMetaDataOptionsService":"URL del servizio",
|
"casAppMetaDataOptionsService":"URL del servizio",
|
||||||
|
"casAppMetaDataOptionsAuthnLevel":"Livello di autenticazione",
|
||||||
"casAppMetaDataOptionsRule":"Regola",
|
"casAppMetaDataOptionsRule":"Regola",
|
||||||
"casAppMetaDataMacros":"Macro",
|
"casAppMetaDataMacros":"Macro",
|
||||||
"casAppMetaDataOptionsUserAttribute":"Attributo utente",
|
"casAppMetaDataOptionsUserAttribute":"Attributo utente",
|
||||||
|
@ -411,6 +412,8 @@
|
||||||
"ldapAllowResetExpiredPassword":"Consenti di reimpostare una password scaduta",
|
"ldapAllowResetExpiredPassword":"Consenti di reimpostare una password scaduta",
|
||||||
"ldapAuthnLevel":"Livello di autenticazione",
|
"ldapAuthnLevel":"Livello di autenticazione",
|
||||||
"ldapBase":"Base di ricerca degli utenti",
|
"ldapBase":"Base di ricerca degli utenti",
|
||||||
|
"ldapCAFile": "CA file path",
|
||||||
|
"ldapCAPath": "CA directory path",
|
||||||
"ldapChangePasswordAsUser":"Cambia come utente",
|
"ldapChangePasswordAsUser":"Cambia come utente",
|
||||||
"ldapConnection":"Connessione",
|
"ldapConnection":"Connessione",
|
||||||
"ldapExportedVars":"Variabili esportate",
|
"ldapExportedVars":"Variabili esportate",
|
||||||
|
@ -439,6 +442,7 @@
|
||||||
"ldapSetPassword":"Operazione prolungata di modifica password",
|
"ldapSetPassword":"Operazione prolungata di modifica password",
|
||||||
"ldapTimeout":"Timeout",
|
"ldapTimeout":"Timeout",
|
||||||
"ldapUsePasswordResetAttribute":"Utilizza l'attributo di ripristino",
|
"ldapUsePasswordResetAttribute":"Utilizza l'attributo di ripristino",
|
||||||
|
"ldapVerify":"Verify LDAP server certificate",
|
||||||
"ldapVersion":"Versione",
|
"ldapVersion":"Versione",
|
||||||
"level":"Livello",
|
"level":"Livello",
|
||||||
"linkedInAuthnLevel":"Livello di autenticazione",
|
"linkedInAuthnLevel":"Livello di autenticazione",
|
||||||
|
@ -593,6 +597,7 @@
|
||||||
"oidcOPMetaDataOptionsProtocol":"Protocollo",
|
"oidcOPMetaDataOptionsProtocol":"Protocollo",
|
||||||
"oidcRPMetaDataOptionsPublic":"Cliente pubblico",
|
"oidcRPMetaDataOptionsPublic":"Cliente pubblico",
|
||||||
"oidcRPMetaDataOptionsRequirePKCE":"Richiedi PKCE",
|
"oidcRPMetaDataOptionsRequirePKCE":"Richiedi PKCE",
|
||||||
|
"oidcRPMetaDataOptionsAuthnLevel":"Livello di autenticazione",
|
||||||
"oidcRPMetaDataOptionsRule":"Regola di accesso",
|
"oidcRPMetaDataOptionsRule":"Regola di accesso",
|
||||||
"oidcRPMetaDataMacros":"Macro",
|
"oidcRPMetaDataMacros":"Macro",
|
||||||
"oidcOPMetaDataOptionsScope":"Scopo",
|
"oidcOPMetaDataOptionsScope":"Scopo",
|
||||||
|
@ -849,6 +854,7 @@
|
||||||
"sfaTitle":"Autenticazione a due fattori",
|
"sfaTitle":"Autenticazione a due fattori",
|
||||||
"sfExtra":"Additional second factors",
|
"sfExtra":"Additional second factors",
|
||||||
"sfManagerRule":"Display Manager link",
|
"sfManagerRule":"Display Manager link",
|
||||||
|
"sfOnlyUpgrade":"Use 2FA for session upgrade",
|
||||||
"sfRequired":"Force 2FA registration at login",
|
"sfRequired":"Force 2FA registration at login",
|
||||||
"sfRemovedNotification":"Warn if an expired 2FA is removed",
|
"sfRemovedNotification":"Warn if an expired 2FA is removed",
|
||||||
"sfRemovedMsgRule":"Attivazione",
|
"sfRemovedMsgRule":"Attivazione",
|
||||||
|
@ -864,6 +870,7 @@
|
||||||
"singleSession":"One session per user",
|
"singleSession":"One session per user",
|
||||||
"singleUserByIP":"One user per IP address",
|
"singleUserByIP":"One user per IP address",
|
||||||
"skipRenewConfirmation":"Salta la conferma di re-auth",
|
"skipRenewConfirmation":"Salta la conferma di re-auth",
|
||||||
|
"skipUpgradeConfirmation":"Skip upgrade confirmation",
|
||||||
"slaveAuthnLevel":"Livello di autenticazione",
|
"slaveAuthnLevel":"Livello di autenticazione",
|
||||||
"slaveDisplayLogo":"Display authentication logo",
|
"slaveDisplayLogo":"Display authentication logo",
|
||||||
"slaveExportedVars":"Variabili esportate",
|
"slaveExportedVars":"Variabili esportate",
|
||||||
|
@ -1076,6 +1083,7 @@
|
||||||
"samlSPMetaDataOptionsSessionNotOnOrAfterTimeout":"Durata sessionNotOnOrAfter ",
|
"samlSPMetaDataOptionsSessionNotOnOrAfterTimeout":"Durata sessionNotOnOrAfter ",
|
||||||
"samlSPMetaDataOptionsNotOnOrAfterTimeout":"Durata di notOnOrAfter ",
|
"samlSPMetaDataOptionsNotOnOrAfterTimeout":"Durata di notOnOrAfter ",
|
||||||
"samlSPMetaDataOptionsForceUTF8":"Forza UTF-8",
|
"samlSPMetaDataOptionsForceUTF8":"Forza UTF-8",
|
||||||
|
"samlSPMetaDataOptionsAuthnLevel":"Livello di autenticazione",
|
||||||
"samlSPMetaDataOptionsRule":"Regola di accesso",
|
"samlSPMetaDataOptionsRule":"Regola di accesso",
|
||||||
"samlSPMetaDataMacros":"Macro",
|
"samlSPMetaDataMacros":"Macro",
|
||||||
"samlIDPName":"Nome di SAML IDP ",
|
"samlIDPName":"Nome di SAML IDP ",
|
||||||
|
@ -1143,4 +1151,4 @@
|
||||||
"samlRelayStateTimeout":"Timeout di sessione di RelayState",
|
"samlRelayStateTimeout":"Timeout di sessione di RelayState",
|
||||||
"samlUseQueryStringSpecific":"Utilizza il metodo specifico query_string",
|
"samlUseQueryStringSpecific":"Utilizza il metodo specifico query_string",
|
||||||
"samlOverrideIDPEntityID":"Sostituisci l'ID entità quando agisce come IDP"
|
"samlOverrideIDPEntityID":"Sostituisci l'ID entità quando agisce come IDP"
|
||||||
}
|
}
|
||||||
|
|
|
@ -122,6 +122,7 @@
|
||||||
"casAppMetaDataNodes":"Aplikacje CAS",
|
"casAppMetaDataNodes":"Aplikacje CAS",
|
||||||
"casAppMetaDataOptions":"Opcje",
|
"casAppMetaDataOptions":"Opcje",
|
||||||
"casAppMetaDataOptionsService":"URL usługi",
|
"casAppMetaDataOptionsService":"URL usługi",
|
||||||
|
"casAppMetaDataOptionsAuthnLevel":"Poziom uwierzytelnienia",
|
||||||
"casAppMetaDataOptionsRule":"Reguła",
|
"casAppMetaDataOptionsRule":"Reguła",
|
||||||
"casAppMetaDataMacros":"Makra",
|
"casAppMetaDataMacros":"Makra",
|
||||||
"casAppMetaDataOptionsUserAttribute":"Atrybut użytkownika",
|
"casAppMetaDataOptionsUserAttribute":"Atrybut użytkownika",
|
||||||
|
@ -411,6 +412,8 @@
|
||||||
"ldapAllowResetExpiredPassword":"Pozwól resetować wygasłe hasło",
|
"ldapAllowResetExpiredPassword":"Pozwól resetować wygasłe hasło",
|
||||||
"ldapAuthnLevel":"Poziom uwierzytelnienia",
|
"ldapAuthnLevel":"Poziom uwierzytelnienia",
|
||||||
"ldapBase":"Baza wyszukiwania użytkowników",
|
"ldapBase":"Baza wyszukiwania użytkowników",
|
||||||
|
"ldapCAFile": "CA file path",
|
||||||
|
"ldapCAPath": "CA directory path",
|
||||||
"ldapChangePasswordAsUser":"Zmień jako użytkownik",
|
"ldapChangePasswordAsUser":"Zmień jako użytkownik",
|
||||||
"ldapConnection":"Połączenie",
|
"ldapConnection":"Połączenie",
|
||||||
"ldapExportedVars":"Wyeksportowane zmienne",
|
"ldapExportedVars":"Wyeksportowane zmienne",
|
||||||
|
@ -439,6 +442,7 @@
|
||||||
"ldapSetPassword":"Rozszerzona operacja modyfikacji hasła",
|
"ldapSetPassword":"Rozszerzona operacja modyfikacji hasła",
|
||||||
"ldapTimeout":"Limit czasu",
|
"ldapTimeout":"Limit czasu",
|
||||||
"ldapUsePasswordResetAttribute":"Użyj atrybutu reset",
|
"ldapUsePasswordResetAttribute":"Użyj atrybutu reset",
|
||||||
|
"ldapVerify":"Verify LDAP server certificate",
|
||||||
"ldapVersion":"Wersja",
|
"ldapVersion":"Wersja",
|
||||||
"level":"Poziom",
|
"level":"Poziom",
|
||||||
"linkedInAuthnLevel":"Poziom uwierzytelnienia",
|
"linkedInAuthnLevel":"Poziom uwierzytelnienia",
|
||||||
|
@ -593,6 +597,7 @@
|
||||||
"oidcOPMetaDataOptionsProtocol":"Protokół",
|
"oidcOPMetaDataOptionsProtocol":"Protokół",
|
||||||
"oidcRPMetaDataOptionsPublic":"Klient publiczny",
|
"oidcRPMetaDataOptionsPublic":"Klient publiczny",
|
||||||
"oidcRPMetaDataOptionsRequirePKCE":"Wymagaj PKCE",
|
"oidcRPMetaDataOptionsRequirePKCE":"Wymagaj PKCE",
|
||||||
|
"oidcRPMetaDataOptionsAuthnLevel":"Poziom uwierzytelnienia",
|
||||||
"oidcRPMetaDataOptionsRule":"Reguła dostępu",
|
"oidcRPMetaDataOptionsRule":"Reguła dostępu",
|
||||||
"oidcRPMetaDataMacros":"Makra",
|
"oidcRPMetaDataMacros":"Makra",
|
||||||
"oidcOPMetaDataOptionsScope":"Zakres",
|
"oidcOPMetaDataOptionsScope":"Zakres",
|
||||||
|
@ -849,6 +854,7 @@
|
||||||
"sfaTitle":"Drugi czynnik uwierzytelniania",
|
"sfaTitle":"Drugi czynnik uwierzytelniania",
|
||||||
"sfExtra":"Dodatkowe drugie czynniki",
|
"sfExtra":"Dodatkowe drugie czynniki",
|
||||||
"sfManagerRule":"Link do Menedżera wyświetlania",
|
"sfManagerRule":"Link do Menedżera wyświetlania",
|
||||||
|
"sfOnlyUpgrade":"Use 2FA for session upgrade",
|
||||||
"sfRequired":"Wymuś rejestrację 2FA przy logowaniu",
|
"sfRequired":"Wymuś rejestrację 2FA przy logowaniu",
|
||||||
"sfRemovedNotification":"Ostrzeż, gdy przeterminowany 2FA został usunięty",
|
"sfRemovedNotification":"Ostrzeż, gdy przeterminowany 2FA został usunięty",
|
||||||
"sfRemovedMsgRule":"Aktywacja",
|
"sfRemovedMsgRule":"Aktywacja",
|
||||||
|
@ -864,6 +870,7 @@
|
||||||
"singleSession":"Jedna sesja na użytkownika",
|
"singleSession":"Jedna sesja na użytkownika",
|
||||||
"singleUserByIP":"Jeden użytkownik na adres IP",
|
"singleUserByIP":"Jeden użytkownik na adres IP",
|
||||||
"skipRenewConfirmation":"Pomiń potwierdzenie ponownego uwierzytelnienia",
|
"skipRenewConfirmation":"Pomiń potwierdzenie ponownego uwierzytelnienia",
|
||||||
|
"skipUpgradeConfirmation":"Skip upgrade confirmation",
|
||||||
"slaveAuthnLevel":"Poziom uwierzytelnienia",
|
"slaveAuthnLevel":"Poziom uwierzytelnienia",
|
||||||
"slaveDisplayLogo":"Wyświetl logo uwierzytelniające",
|
"slaveDisplayLogo":"Wyświetl logo uwierzytelniające",
|
||||||
"slaveExportedVars":"Wyeksportowane zmienne",
|
"slaveExportedVars":"Wyeksportowane zmienne",
|
||||||
|
@ -1076,6 +1083,7 @@
|
||||||
"samlSPMetaDataOptionsSessionNotOnOrAfterTimeout":"czas trwania sessionNotOnOrAfter",
|
"samlSPMetaDataOptionsSessionNotOnOrAfterTimeout":"czas trwania sessionNotOnOrAfter",
|
||||||
"samlSPMetaDataOptionsNotOnOrAfterTimeout":"czas trwania notOnOrAfter",
|
"samlSPMetaDataOptionsNotOnOrAfterTimeout":"czas trwania notOnOrAfter",
|
||||||
"samlSPMetaDataOptionsForceUTF8":"Wymuś UTF-8",
|
"samlSPMetaDataOptionsForceUTF8":"Wymuś UTF-8",
|
||||||
|
"samlSPMetaDataOptionsAuthnLevel":"Poziom uwierzytelnienia",
|
||||||
"samlSPMetaDataOptionsRule":"Reguła dostępu",
|
"samlSPMetaDataOptionsRule":"Reguła dostępu",
|
||||||
"samlSPMetaDataMacros":"Makra",
|
"samlSPMetaDataMacros":"Makra",
|
||||||
"samlIDPName":"Nazwa IDP SAML",
|
"samlIDPName":"Nazwa IDP SAML",
|
||||||
|
@ -1143,4 +1151,4 @@
|
||||||
"samlRelayStateTimeout":"Limit czasu sesji RelayState",
|
"samlRelayStateTimeout":"Limit czasu sesji RelayState",
|
||||||
"samlUseQueryStringSpecific":"Użyj określonej metody query_string",
|
"samlUseQueryStringSpecific":"Użyj określonej metody query_string",
|
||||||
"samlOverrideIDPEntityID":"Zastąp identyfikator jednostki podczas działania jako IDP"
|
"samlOverrideIDPEntityID":"Zastąp identyfikator jednostki podczas działania jako IDP"
|
||||||
}
|
}
|
||||||
|
|
|
@ -122,6 +122,7 @@
|
||||||
"casAppMetaDataNodes":"CAS Uygulamaları",
|
"casAppMetaDataNodes":"CAS Uygulamaları",
|
||||||
"casAppMetaDataOptions":"Seçenekler",
|
"casAppMetaDataOptions":"Seçenekler",
|
||||||
"casAppMetaDataOptionsService":"Servis URL'si",
|
"casAppMetaDataOptionsService":"Servis URL'si",
|
||||||
|
"casAppMetaDataOptionsAuthnLevel":"Doğrulama seviyesi",
|
||||||
"casAppMetaDataOptionsRule":"Kural",
|
"casAppMetaDataOptionsRule":"Kural",
|
||||||
"casAppMetaDataMacros":"Makrolar",
|
"casAppMetaDataMacros":"Makrolar",
|
||||||
"casAppMetaDataOptionsUserAttribute":"Kullanıcı niteliği",
|
"casAppMetaDataOptionsUserAttribute":"Kullanıcı niteliği",
|
||||||
|
@ -411,6 +412,8 @@
|
||||||
"ldapAllowResetExpiredPassword":"Süresi dolmuş bir parolayı sıfırlamaya izin ver",
|
"ldapAllowResetExpiredPassword":"Süresi dolmuş bir parolayı sıfırlamaya izin ver",
|
||||||
"ldapAuthnLevel":"Doğrulama seviyesi",
|
"ldapAuthnLevel":"Doğrulama seviyesi",
|
||||||
"ldapBase":"Kullanıcı arama tabanı",
|
"ldapBase":"Kullanıcı arama tabanı",
|
||||||
|
"ldapCAFile": "CA file path",
|
||||||
|
"ldapCAPath": "CA directory path",
|
||||||
"ldapChangePasswordAsUser":"Kullanıcı olarak değiştir",
|
"ldapChangePasswordAsUser":"Kullanıcı olarak değiştir",
|
||||||
"ldapConnection":"Bağlantı",
|
"ldapConnection":"Bağlantı",
|
||||||
"ldapExportedVars":"Dışa aktarılan değişkenler",
|
"ldapExportedVars":"Dışa aktarılan değişkenler",
|
||||||
|
@ -439,6 +442,7 @@
|
||||||
"ldapSetPassword":"Parola değiştirme işlemi genişletilmiş",
|
"ldapSetPassword":"Parola değiştirme işlemi genişletilmiş",
|
||||||
"ldapTimeout":"Zaman aşımı",
|
"ldapTimeout":"Zaman aşımı",
|
||||||
"ldapUsePasswordResetAttribute":"Sıfırlama niteliklerini kullan",
|
"ldapUsePasswordResetAttribute":"Sıfırlama niteliklerini kullan",
|
||||||
|
"ldapVerify":"Verify LDAP server certificate",
|
||||||
"ldapVersion":"Sürüm",
|
"ldapVersion":"Sürüm",
|
||||||
"level":"Seviye",
|
"level":"Seviye",
|
||||||
"linkedInAuthnLevel":"Doğrulama seviyesi",
|
"linkedInAuthnLevel":"Doğrulama seviyesi",
|
||||||
|
@ -593,6 +597,7 @@
|
||||||
"oidcOPMetaDataOptionsProtocol":"Protokol",
|
"oidcOPMetaDataOptionsProtocol":"Protokol",
|
||||||
"oidcRPMetaDataOptionsPublic":"Açık istemci",
|
"oidcRPMetaDataOptionsPublic":"Açık istemci",
|
||||||
"oidcRPMetaDataOptionsRequirePKCE":"PKCE gerektir",
|
"oidcRPMetaDataOptionsRequirePKCE":"PKCE gerektir",
|
||||||
|
"oidcRPMetaDataOptionsAuthnLevel":"Doğrulama seviyesi",
|
||||||
"oidcRPMetaDataOptionsRule":"Erişim kuralı",
|
"oidcRPMetaDataOptionsRule":"Erişim kuralı",
|
||||||
"oidcRPMetaDataMacros":"Makrolar",
|
"oidcRPMetaDataMacros":"Makrolar",
|
||||||
"oidcOPMetaDataOptionsScope":"Kapsam",
|
"oidcOPMetaDataOptionsScope":"Kapsam",
|
||||||
|
@ -849,6 +854,7 @@
|
||||||
"sfaTitle":"İki faktörlü kimlik doğrulaması",
|
"sfaTitle":"İki faktörlü kimlik doğrulaması",
|
||||||
"sfExtra":"Ek ikinci faktörler",
|
"sfExtra":"Ek ikinci faktörler",
|
||||||
"sfManagerRule":"Yönetici bağlantısını görüntüle",
|
"sfManagerRule":"Yönetici bağlantısını görüntüle",
|
||||||
|
"sfOnlyUpgrade":"Use 2FA for session upgrade",
|
||||||
"sfRequired":"Girişte 2FA kayıtlanmaya zorla",
|
"sfRequired":"Girişte 2FA kayıtlanmaya zorla",
|
||||||
"sfRemovedNotification":"Süresi dolan 2FA kaldırıldığında uyar",
|
"sfRemovedNotification":"Süresi dolan 2FA kaldırıldığında uyar",
|
||||||
"sfRemovedMsgRule":"Aktivasyon",
|
"sfRemovedMsgRule":"Aktivasyon",
|
||||||
|
@ -864,6 +870,7 @@
|
||||||
"singleSession":"Her kullanıcı için bir oturum",
|
"singleSession":"Her kullanıcı için bir oturum",
|
||||||
"singleUserByIP":"Her IP adresi için bir kullanıcı",
|
"singleUserByIP":"Her IP adresi için bir kullanıcı",
|
||||||
"skipRenewConfirmation":"Yeniden yetkilendirme doğrulamasını geç",
|
"skipRenewConfirmation":"Yeniden yetkilendirme doğrulamasını geç",
|
||||||
|
"skipUpgradeConfirmation":"Skip upgrade confirmation",
|
||||||
"slaveAuthnLevel":"Doğrulama seviyesi",
|
"slaveAuthnLevel":"Doğrulama seviyesi",
|
||||||
"slaveDisplayLogo":"Doğrulama logosunu görüntüle",
|
"slaveDisplayLogo":"Doğrulama logosunu görüntüle",
|
||||||
"slaveExportedVars":"Dışa aktarılan değişkenler",
|
"slaveExportedVars":"Dışa aktarılan değişkenler",
|
||||||
|
@ -1076,6 +1083,7 @@
|
||||||
"samlSPMetaDataOptionsSessionNotOnOrAfterTimeout":"sessionNotOnOrAfter süresi",
|
"samlSPMetaDataOptionsSessionNotOnOrAfterTimeout":"sessionNotOnOrAfter süresi",
|
||||||
"samlSPMetaDataOptionsNotOnOrAfterTimeout":"notOnOrAfter süresi",
|
"samlSPMetaDataOptionsNotOnOrAfterTimeout":"notOnOrAfter süresi",
|
||||||
"samlSPMetaDataOptionsForceUTF8":"UTF-8'e zorla",
|
"samlSPMetaDataOptionsForceUTF8":"UTF-8'e zorla",
|
||||||
|
"samlSPMetaDataOptionsAuthnLevel":"Doğrulama seviyesi",
|
||||||
"samlSPMetaDataOptionsRule":"Erişim kuralı",
|
"samlSPMetaDataOptionsRule":"Erişim kuralı",
|
||||||
"samlSPMetaDataMacros":"Makrolar",
|
"samlSPMetaDataMacros":"Makrolar",
|
||||||
"samlIDPName":"SAML IDP Adı",
|
"samlIDPName":"SAML IDP Adı",
|
||||||
|
@ -1143,4 +1151,4 @@
|
||||||
"samlRelayStateTimeout":"RelayState oturum zaman aşımı",
|
"samlRelayStateTimeout":"RelayState oturum zaman aşımı",
|
||||||
"samlUseQueryStringSpecific":"Spesifik query_string metodu kullan",
|
"samlUseQueryStringSpecific":"Spesifik query_string metodu kullan",
|
||||||
"samlOverrideIDPEntityID":"IDP olarak davrandığında Varlık ID'yi geçersiz kıl"
|
"samlOverrideIDPEntityID":"IDP olarak davrandığında Varlık ID'yi geçersiz kıl"
|
||||||
}
|
}
|
||||||
|
|
|
@ -122,6 +122,7 @@
|
||||||
"casAppMetaDataNodes":"Ứng dụng CAS",
|
"casAppMetaDataNodes":"Ứng dụng CAS",
|
||||||
"casAppMetaDataOptions":"Tùy chọn",
|
"casAppMetaDataOptions":"Tùy chọn",
|
||||||
"casAppMetaDataOptionsService":"Dịch vụ URL",
|
"casAppMetaDataOptionsService":"Dịch vụ URL",
|
||||||
|
"casAppMetaDataOptionsAuthnLevel":"Mức xác thực",
|
||||||
"casAppMetaDataOptionsRule":"Quy tắc",
|
"casAppMetaDataOptionsRule":"Quy tắc",
|
||||||
"casAppMetaDataMacros":"Macros",
|
"casAppMetaDataMacros":"Macros",
|
||||||
"casAppMetaDataOptionsUserAttribute":"thuộc tính người dùng",
|
"casAppMetaDataOptionsUserAttribute":"thuộc tính người dùng",
|
||||||
|
@ -411,6 +412,8 @@
|
||||||
"ldapAllowResetExpiredPassword":"Cho phép đặt lại mật khẩu đã hết hạn",
|
"ldapAllowResetExpiredPassword":"Cho phép đặt lại mật khẩu đã hết hạn",
|
||||||
"ldapAuthnLevel":"Mức xác thực",
|
"ldapAuthnLevel":"Mức xác thực",
|
||||||
"ldapBase":"Cơ sở tìm kiếm người dùng",
|
"ldapBase":"Cơ sở tìm kiếm người dùng",
|
||||||
|
"ldapCAFile": "CA file path",
|
||||||
|
"ldapCAPath": "CA directory path",
|
||||||
"ldapChangePasswordAsUser":"Thay đổi như người dùng",
|
"ldapChangePasswordAsUser":"Thay đổi như người dùng",
|
||||||
"ldapConnection":"Kết nối",
|
"ldapConnection":"Kết nối",
|
||||||
"ldapExportedVars":"Biến đã được xuất",
|
"ldapExportedVars":"Biến đã được xuất",
|
||||||
|
@ -439,6 +442,7 @@
|
||||||
"ldapSetPassword":"Mật khẩu sửa đổi hoạt động mở rộng",
|
"ldapSetPassword":"Mật khẩu sửa đổi hoạt động mở rộng",
|
||||||
"ldapTimeout":"Thời gian chờ",
|
"ldapTimeout":"Thời gian chờ",
|
||||||
"ldapUsePasswordResetAttribute":"Sử dụng thuộc tính đặt lại",
|
"ldapUsePasswordResetAttribute":"Sử dụng thuộc tính đặt lại",
|
||||||
|
"ldapVerify":"Verify LDAP server certificate",
|
||||||
"ldapVersion":"Phiên bản",
|
"ldapVersion":"Phiên bản",
|
||||||
"level":"Mức",
|
"level":"Mức",
|
||||||
"linkedInAuthnLevel":"Mức xác thực",
|
"linkedInAuthnLevel":"Mức xác thực",
|
||||||
|
@ -593,6 +597,7 @@
|
||||||
"oidcOPMetaDataOptionsProtocol":"Giao thức",
|
"oidcOPMetaDataOptionsProtocol":"Giao thức",
|
||||||
"oidcRPMetaDataOptionsPublic":"Public client",
|
"oidcRPMetaDataOptionsPublic":"Public client",
|
||||||
"oidcRPMetaDataOptionsRequirePKCE":"Require PKCE",
|
"oidcRPMetaDataOptionsRequirePKCE":"Require PKCE",
|
||||||
|
"oidcRPMetaDataOptionsAuthnLevel":"Mức xác thực",
|
||||||
"oidcRPMetaDataOptionsRule":"Quy tắc truy cập",
|
"oidcRPMetaDataOptionsRule":"Quy tắc truy cập",
|
||||||
"oidcRPMetaDataMacros":"Macros",
|
"oidcRPMetaDataMacros":"Macros",
|
||||||
"oidcOPMetaDataOptionsScope":"Phạm vi",
|
"oidcOPMetaDataOptionsScope":"Phạm vi",
|
||||||
|
@ -849,6 +854,7 @@
|
||||||
"sfaTitle":"Second factors authentication",
|
"sfaTitle":"Second factors authentication",
|
||||||
"sfExtra":"Additional second factors",
|
"sfExtra":"Additional second factors",
|
||||||
"sfManagerRule":"Display Manager link",
|
"sfManagerRule":"Display Manager link",
|
||||||
|
"sfOnlyUpgrade":"Use 2FA for session upgrade",
|
||||||
"sfRequired":"Force 2FA registration at login",
|
"sfRequired":"Force 2FA registration at login",
|
||||||
"sfRemovedNotification":"Warn if an expired 2FA is removed",
|
"sfRemovedNotification":"Warn if an expired 2FA is removed",
|
||||||
"sfRemovedMsgRule":"Kích hoạt",
|
"sfRemovedMsgRule":"Kích hoạt",
|
||||||
|
@ -864,6 +870,7 @@
|
||||||
"singleSession":"One session per user",
|
"singleSession":"One session per user",
|
||||||
"singleUserByIP":"Một người dùng theo địa chỉ IP",
|
"singleUserByIP":"Một người dùng theo địa chỉ IP",
|
||||||
"skipRenewConfirmation":"Skip re-auth confirmation",
|
"skipRenewConfirmation":"Skip re-auth confirmation",
|
||||||
|
"skipUpgradeConfirmation":"Skip upgrade confirmation",
|
||||||
"slaveAuthnLevel":"Mức xác thực",
|
"slaveAuthnLevel":"Mức xác thực",
|
||||||
"slaveDisplayLogo":"Display authentication logo",
|
"slaveDisplayLogo":"Display authentication logo",
|
||||||
"slaveExportedVars":"Biến đã được xuất",
|
"slaveExportedVars":"Biến đã được xuất",
|
||||||
|
@ -1076,6 +1083,7 @@
|
||||||
"samlSPMetaDataOptionsSessionNotOnOrAfterTimeout":"thời gian sessionNotOnOrAfter ",
|
"samlSPMetaDataOptionsSessionNotOnOrAfterTimeout":"thời gian sessionNotOnOrAfter ",
|
||||||
"samlSPMetaDataOptionsNotOnOrAfterTimeout":"Thời gian notOnOrAfter ",
|
"samlSPMetaDataOptionsNotOnOrAfterTimeout":"Thời gian notOnOrAfter ",
|
||||||
"samlSPMetaDataOptionsForceUTF8":"Bắt buộc UTF-8",
|
"samlSPMetaDataOptionsForceUTF8":"Bắt buộc UTF-8",
|
||||||
|
"samlSPMetaDataOptionsAuthnLevel":"Mức xác thực",
|
||||||
"samlSPMetaDataOptionsRule":"Quy tắc truy cập",
|
"samlSPMetaDataOptionsRule":"Quy tắc truy cập",
|
||||||
"samlSPMetaDataMacros":"Macros",
|
"samlSPMetaDataMacros":"Macros",
|
||||||
"samlIDPName":"Tên SAML IDP ",
|
"samlIDPName":"Tên SAML IDP ",
|
||||||
|
@ -1143,4 +1151,4 @@
|
||||||
"samlRelayStateTimeout":"Thời gian hết hạn phiên RelayState ",
|
"samlRelayStateTimeout":"Thời gian hết hạn phiên RelayState ",
|
||||||
"samlUseQueryStringSpecific":"Sử dụng phương pháp query_string cụ thể",
|
"samlUseQueryStringSpecific":"Sử dụng phương pháp query_string cụ thể",
|
||||||
"samlOverrideIDPEntityID":"Override Entity ID when acting as IDP"
|
"samlOverrideIDPEntityID":"Override Entity ID when acting as IDP"
|
||||||
}
|
}
|
||||||
|
|
|
@ -122,6 +122,7 @@
|
||||||
"casAppMetaDataNodes":"CAS 系列应用",
|
"casAppMetaDataNodes":"CAS 系列应用",
|
||||||
"casAppMetaDataOptions":"选项",
|
"casAppMetaDataOptions":"选项",
|
||||||
"casAppMetaDataOptionsService":"服务 URL",
|
"casAppMetaDataOptionsService":"服务 URL",
|
||||||
|
"casAppMetaDataOptionsAuthnLevel":"认证级别",
|
||||||
"casAppMetaDataOptionsRule":"规则",
|
"casAppMetaDataOptionsRule":"规则",
|
||||||
"casAppMetaDataMacros":"Macros",
|
"casAppMetaDataMacros":"Macros",
|
||||||
"casAppMetaDataOptionsUserAttribute":"User attribute",
|
"casAppMetaDataOptionsUserAttribute":"User attribute",
|
||||||
|
@ -411,6 +412,8 @@
|
||||||
"ldapAllowResetExpiredPassword":"Allow to reset an expired password",
|
"ldapAllowResetExpiredPassword":"Allow to reset an expired password",
|
||||||
"ldapAuthnLevel":"认证等级",
|
"ldapAuthnLevel":"认证等级",
|
||||||
"ldapBase":"Users search base",
|
"ldapBase":"Users search base",
|
||||||
|
"ldapCAFile": "CA file path",
|
||||||
|
"ldapCAPath": "CA directory path",
|
||||||
"ldapChangePasswordAsUser":"Change as user",
|
"ldapChangePasswordAsUser":"Change as user",
|
||||||
"ldapConnection":"连接",
|
"ldapConnection":"连接",
|
||||||
"ldapExportedVars":"Exported variables",
|
"ldapExportedVars":"Exported variables",
|
||||||
|
@ -439,6 +442,7 @@
|
||||||
"ldapSetPassword":"Password modify extended operation",
|
"ldapSetPassword":"Password modify extended operation",
|
||||||
"ldapTimeout":"Timeout",
|
"ldapTimeout":"Timeout",
|
||||||
"ldapUsePasswordResetAttribute":"Use reset attribute",
|
"ldapUsePasswordResetAttribute":"Use reset attribute",
|
||||||
|
"ldapVerify":"Verify LDAP server certificate",
|
||||||
"ldapVersion":"版本",
|
"ldapVersion":"版本",
|
||||||
"level":"Level",
|
"level":"Level",
|
||||||
"linkedInAuthnLevel":"认证等级",
|
"linkedInAuthnLevel":"认证等级",
|
||||||
|
@ -593,6 +597,7 @@
|
||||||
"oidcOPMetaDataOptionsProtocol":"Protocol",
|
"oidcOPMetaDataOptionsProtocol":"Protocol",
|
||||||
"oidcRPMetaDataOptionsPublic":"Public client",
|
"oidcRPMetaDataOptionsPublic":"Public client",
|
||||||
"oidcRPMetaDataOptionsRequirePKCE":"Require PKCE",
|
"oidcRPMetaDataOptionsRequirePKCE":"Require PKCE",
|
||||||
|
"oidcRPMetaDataOptionsAuthnLevel":"认证级别",
|
||||||
"oidcRPMetaDataOptionsRule":"Access rule",
|
"oidcRPMetaDataOptionsRule":"Access rule",
|
||||||
"oidcRPMetaDataMacros":"Macros",
|
"oidcRPMetaDataMacros":"Macros",
|
||||||
"oidcOPMetaDataOptionsScope":"Scope",
|
"oidcOPMetaDataOptionsScope":"Scope",
|
||||||
|
@ -849,6 +854,7 @@
|
||||||
"sfaTitle":"Second factors authentication",
|
"sfaTitle":"Second factors authentication",
|
||||||
"sfExtra":"Additional second factors",
|
"sfExtra":"Additional second factors",
|
||||||
"sfManagerRule":"Display Manager link",
|
"sfManagerRule":"Display Manager link",
|
||||||
|
"sfOnlyUpgrade":"Use 2FA for session upgrade",
|
||||||
"sfRequired":"Force 2FA registration at login",
|
"sfRequired":"Force 2FA registration at login",
|
||||||
"sfRemovedNotification":"Warn if an expired 2FA is removed",
|
"sfRemovedNotification":"Warn if an expired 2FA is removed",
|
||||||
"sfRemovedMsgRule":"激活",
|
"sfRemovedMsgRule":"激活",
|
||||||
|
@ -864,6 +870,7 @@
|
||||||
"singleSession":"One session per user",
|
"singleSession":"One session per user",
|
||||||
"singleUserByIP":"One user per IP address",
|
"singleUserByIP":"One user per IP address",
|
||||||
"skipRenewConfirmation":"Skip re-auth confirmation",
|
"skipRenewConfirmation":"Skip re-auth confirmation",
|
||||||
|
"skipUpgradeConfirmation":"Skip upgrade confirmation",
|
||||||
"slaveAuthnLevel":"认证等级",
|
"slaveAuthnLevel":"认证等级",
|
||||||
"slaveDisplayLogo":"Display authentication logo",
|
"slaveDisplayLogo":"Display authentication logo",
|
||||||
"slaveExportedVars":"Exported variables",
|
"slaveExportedVars":"Exported variables",
|
||||||
|
@ -1076,6 +1083,7 @@
|
||||||
"samlSPMetaDataOptionsSessionNotOnOrAfterTimeout":"sessionNotOnOrAfter duration",
|
"samlSPMetaDataOptionsSessionNotOnOrAfterTimeout":"sessionNotOnOrAfter duration",
|
||||||
"samlSPMetaDataOptionsNotOnOrAfterTimeout":"notOnOrAfter duration",
|
"samlSPMetaDataOptionsNotOnOrAfterTimeout":"notOnOrAfter duration",
|
||||||
"samlSPMetaDataOptionsForceUTF8":"Force UTF-8",
|
"samlSPMetaDataOptionsForceUTF8":"Force UTF-8",
|
||||||
|
"samlSPMetaDataOptionsAuthnLevel":"认证级别",
|
||||||
"samlSPMetaDataOptionsRule":"Access rule",
|
"samlSPMetaDataOptionsRule":"Access rule",
|
||||||
"samlSPMetaDataMacros":"Macros",
|
"samlSPMetaDataMacros":"Macros",
|
||||||
"samlIDPName":"SAML IDP Name",
|
"samlIDPName":"SAML IDP Name",
|
||||||
|
@ -1143,4 +1151,4 @@
|
||||||
"samlRelayStateTimeout":"RelayState session timeout",
|
"samlRelayStateTimeout":"RelayState session timeout",
|
||||||
"samlUseQueryStringSpecific":"Use specific query_string method",
|
"samlUseQueryStringSpecific":"Use specific query_string method",
|
||||||
"samlOverrideIDPEntityID":"Override Entity ID when acting as IDP"
|
"samlOverrideIDPEntityID":"Override Entity ID when acting as IDP"
|
||||||
}
|
}
|
||||||
|
|
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
|
@ -67,7 +67,7 @@
|
||||||
},
|
},
|
||||||
"requires" : {
|
"requires" : {
|
||||||
"Clone" : "0",
|
"Clone" : "0",
|
||||||
"Lemonldap::NG::Handler" : "v2.0.8",
|
"Lemonldap::NG::Handler" : "v2.0.9",
|
||||||
"Regexp::Assemble" : "0"
|
"Regexp::Assemble" : "0"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -81,6 +81,6 @@
|
||||||
],
|
],
|
||||||
"x_MailingList" : "mailto:lemonldap-ng-dev@ow2.org"
|
"x_MailingList" : "mailto:lemonldap-ng-dev@ow2.org"
|
||||||
},
|
},
|
||||||
"version" : "v2.0.8",
|
"version" : "v2.0.9",
|
||||||
"x_serialization_backend" : "JSON::PP version 4.02"
|
"x_serialization_backend" : "JSON::PP version 2.97001"
|
||||||
}
|
}
|
||||||
|
|
|
@ -52,12 +52,12 @@ recommends:
|
||||||
Web::ID: '0'
|
Web::ID: '0'
|
||||||
requires:
|
requires:
|
||||||
Clone: '0'
|
Clone: '0'
|
||||||
Lemonldap::NG::Handler: v2.0.8
|
Lemonldap::NG::Handler: v2.0.9
|
||||||
Regexp::Assemble: '0'
|
Regexp::Assemble: '0'
|
||||||
resources:
|
resources:
|
||||||
MailingList: mailto:lemonldap-ng-dev@ow2.org
|
MailingList: mailto:lemonldap-ng-dev@ow2.org
|
||||||
X_twitter: https://twitter.com/lemonldapng
|
X_twitter: https://twitter.com/lemonldapng
|
||||||
homepage: http://lemonldap-ng.org/
|
homepage: http://lemonldap-ng.org/
|
||||||
license: http://opensource.org/licenses/GPL-2.0
|
license: http://opensource.org/licenses/GPL-2.0
|
||||||
version: v2.0.8
|
version: v2.0.9
|
||||||
x_serialization_backend: 'CPAN::Meta::YAML version 0.018'
|
x_serialization_backend: 'CPAN::Meta::YAML version 0.018'
|
||||||
|
|
|
@ -63,7 +63,7 @@ WriteMakefile(
|
||||||
},
|
},
|
||||||
PREREQ_PM => {
|
PREREQ_PM => {
|
||||||
'Clone' => 0,
|
'Clone' => 0,
|
||||||
'Lemonldap::NG::Handler' => '2.0.8',
|
'Lemonldap::NG::Handler' => '2.0.9',
|
||||||
'Regexp::Assemble' => 0,
|
'Regexp::Assemble' => 0,
|
||||||
},
|
},
|
||||||
(
|
(
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
# Alias for Lemonldap::NG::Portal::Main
|
# Alias for Lemonldap::NG::Portal::Main
|
||||||
package Lemonldap::NG::Portal;
|
package Lemonldap::NG::Portal;
|
||||||
|
|
||||||
our $VERSION = '2.0.8';
|
our $VERSION = '2.0.9';
|
||||||
use Lemonldap::NG::Portal::Main;
|
use Lemonldap::NG::Portal::Main;
|
||||||
use base 'Lemonldap::NG::Portal::Main';
|
use base 'Lemonldap::NG::Portal::Main';
|
||||||
|
|
||||||
|
|
|
@ -19,9 +19,10 @@ use Lemonldap::NG::Portal::Main::Constants qw(
|
||||||
PE_OK
|
PE_OK
|
||||||
PE_SENDRESPONSE
|
PE_SENDRESPONSE
|
||||||
PE_TOKENEXPIRED
|
PE_TOKENEXPIRED
|
||||||
|
PE_NO_SECOND_FACTORS
|
||||||
);
|
);
|
||||||
|
|
||||||
our $VERSION = '2.0.8';
|
our $VERSION = '2.0.9';
|
||||||
|
|
||||||
extends 'Lemonldap::NG::Portal::Main::Plugin';
|
extends 'Lemonldap::NG::Portal::Main::Plugin';
|
||||||
with 'Lemonldap::NG::Portal::Lib::OverConf';
|
with 'Lemonldap::NG::Portal::Lib::OverConf';
|
||||||
|
@ -198,7 +199,30 @@ sub run {
|
||||||
$self->logger->debug("2F checkLogins set") if ($checkLogins);
|
$self->logger->debug("2F checkLogins set") if ($checkLogins);
|
||||||
|
|
||||||
# Skip 2F unless a module has been registered
|
# Skip 2F unless a module has been registered
|
||||||
return PE_OK unless ( @{ $self->sfModules } );
|
unless ( @{ $self->sfModules } ) {
|
||||||
|
if ( $self->conf->{sfOnlyUpgrade} and $req->data->{doingSfUpgrade} ) {
|
||||||
|
$self->logger->error(
|
||||||
|
"Trying to perform 2FA session upgrade but no "
|
||||||
|
. "second factor modules are configured" );
|
||||||
|
return PE_ERROR;
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
return PE_OK;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
# Skip 2F if authnLevel is already high enough
|
||||||
|
if (
|
||||||
|
$self->conf->{sfOnlyUpgrade}
|
||||||
|
and ( ( $req->pdata->{targetAuthnLevel} || 0 ) <=
|
||||||
|
( $req->sessionInfo->{authenticationLevel} || 0 ) )
|
||||||
|
)
|
||||||
|
{
|
||||||
|
$self->logger->debug(
|
||||||
|
"Current authentication level satisfied target service,"
|
||||||
|
. " skipping 2FA" );
|
||||||
|
return PE_OK;
|
||||||
|
}
|
||||||
|
|
||||||
# Remove expired 2F devices
|
# Remove expired 2F devices
|
||||||
my $session = $req->sessionInfo;
|
my $session = $req->sessionInfo;
|
||||||
|
@ -296,7 +320,16 @@ sub run {
|
||||||
return PE_SENDRESPONSE;
|
return PE_SENDRESPONSE;
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
return PE_OK;
|
if ( $self->conf->{sfOnlyUpgrade} and $req->data->{doingSfUpgrade} )
|
||||||
|
{
|
||||||
|
|
||||||
|
# cancel redirection to issuer/vhost
|
||||||
|
delete $req->pdata->{_url};
|
||||||
|
return PE_NO_SECOND_FACTORS;
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
return PE_OK;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -15,7 +15,7 @@ use Lemonldap::NG::Portal::Main::Constants qw(
|
||||||
PE_SENDRESPONSE
|
PE_SENDRESPONSE
|
||||||
);
|
);
|
||||||
|
|
||||||
our $VERSION = '2.0.8';
|
our $VERSION = '2.0.9';
|
||||||
|
|
||||||
extends 'Lemonldap::NG::Portal::Main::SecondFactor';
|
extends 'Lemonldap::NG::Portal::Main::SecondFactor';
|
||||||
|
|
||||||
|
|
|
@ -12,7 +12,7 @@ use Lemonldap::NG::Portal::Main::Constants qw(
|
||||||
PE_SENDRESPONSE
|
PE_SENDRESPONSE
|
||||||
);
|
);
|
||||||
|
|
||||||
our $VERSION = '2.0.6';
|
our $VERSION = '2.0.9';
|
||||||
|
|
||||||
extends 'Lemonldap::NG::Portal::Main::Auth';
|
extends 'Lemonldap::NG::Portal::Main::Auth';
|
||||||
|
|
||||||
|
|
|
@ -100,6 +100,13 @@ sub storeEnvAndCheckGateway {
|
||||||
|
|
||||||
if ($app) {
|
if ($app) {
|
||||||
$req->env->{llng_cas_app} = $app;
|
$req->env->{llng_cas_app} = $app;
|
||||||
|
|
||||||
|
# Store target authentication level in pdata
|
||||||
|
my $targetAuthnLevel = $self->conf->{casAppMetaDataOptions}->{$app}
|
||||||
|
->{casAppMetaDataOptionsAuthnLevel};
|
||||||
|
$req->pdata->{targetAuthnLevel} = $targetAuthnLevel
|
||||||
|
if $targetAuthnLevel;
|
||||||
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -150,20 +157,6 @@ sub run {
|
||||||
|| $req->param('gateway');
|
|| $req->param('gateway');
|
||||||
my $casServiceTicket;
|
my $casServiceTicket;
|
||||||
|
|
||||||
# Renew
|
|
||||||
if ( $renew
|
|
||||||
and $renew eq 'true'
|
|
||||||
and time - $req->sessionInfo->{_utime} >
|
|
||||||
$self->conf->{portalForceAuthnInterval} )
|
|
||||||
{
|
|
||||||
|
|
||||||
# Authentication must be replayed
|
|
||||||
$self->logger->debug("Authentication renew requested");
|
|
||||||
$self->{updateSession} = 1;
|
|
||||||
$req->env->{QUERY_STRING} =~ s/renew=true/renew=false/;
|
|
||||||
return $self->reAuth($req);
|
|
||||||
}
|
|
||||||
|
|
||||||
# If no service defined, exit
|
# If no service defined, exit
|
||||||
unless ( defined $service ) {
|
unless ( defined $service ) {
|
||||||
$self->logger->debug("No service defined in CAS URL");
|
$self->logger->debug("No service defined in CAS URL");
|
||||||
|
@ -177,6 +170,26 @@ sub run {
|
||||||
my ( $host, $uri ) = ( $1, $2 );
|
my ( $host, $uri ) = ( $1, $2 );
|
||||||
my $app = $self->casAppList->{$host};
|
my $app = $self->casAppList->{$host};
|
||||||
|
|
||||||
|
my $spAuthnLevel =
|
||||||
|
$self->conf->{casAppMetaDataOptions}->{$app}
|
||||||
|
->{casAppMetaDataOptionsAuthnLevel} || 0;
|
||||||
|
|
||||||
|
# Renew
|
||||||
|
if ( $renew
|
||||||
|
and $renew eq 'true'
|
||||||
|
and time - $req->sessionInfo->{_utime} >
|
||||||
|
$self->conf->{portalForceAuthnInterval} )
|
||||||
|
{
|
||||||
|
|
||||||
|
# Authentication must be replayed
|
||||||
|
$self->logger->debug("Authentication renew requested");
|
||||||
|
$self->{updateSession} = 1;
|
||||||
|
$req->env->{QUERY_STRING} =~ s/renew=true/renew=false/;
|
||||||
|
|
||||||
|
$req->pdata->{targetAuthnLevel} = $spAuthnLevel;
|
||||||
|
return $self->reAuth($req);
|
||||||
|
}
|
||||||
|
|
||||||
# Check access on the service
|
# Check access on the service
|
||||||
my $casAccessControlPolicy = $self->conf->{casAccessControlPolicy};
|
my $casAccessControlPolicy = $self->conf->{casAccessControlPolicy};
|
||||||
|
|
||||||
|
@ -188,6 +201,21 @@ sub run {
|
||||||
$self->userLogger->error('CAS service not configured');
|
$self->userLogger->error('CAS service not configured');
|
||||||
return PE_CAS_SERVICE_NOT_ALLOWED;
|
return PE_CAS_SERVICE_NOT_ALLOWED;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Check if we have sufficient auth level
|
||||||
|
my $authenticationLevel =
|
||||||
|
$req->{sessionInfo}->{authenticationLevel} || 0;
|
||||||
|
if ( $authenticationLevel < $spAuthnLevel ) {
|
||||||
|
$self->logger->debug(
|
||||||
|
"Insufficient authentication level for service $app"
|
||||||
|
. " (has: $authenticationLevel, want: $spAuthnLevel)" );
|
||||||
|
|
||||||
|
# Reauth with sp auth level as target
|
||||||
|
$req->pdata->{targetAuthnLevel} = $spAuthnLevel;
|
||||||
|
return $self->upgradeAuth($req);
|
||||||
|
}
|
||||||
|
|
||||||
|
# Check access rule
|
||||||
if ( my $rule = $self->spRules->{$app} ) {
|
if ( my $rule = $self->spRules->{$app} ) {
|
||||||
if ( $rule->( $req, $req->sessionInfo ) ) {
|
if ( $rule->( $req, $req->sessionInfo ) ) {
|
||||||
$self->logger->debug("CAS service $service access allowed");
|
$self->logger->debug("CAS service $service access allowed");
|
||||||
|
|
|
@ -321,6 +321,9 @@ sub run {
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
my $spAuthnLevel = $self->conf->{oidcRPMetaDataOptions}->{$rp}
|
||||||
|
->{oidcRPMetaDataOptionsAuthnLevel} || 0;
|
||||||
|
|
||||||
# Check if user needs to be reauthenticated
|
# Check if user needs to be reauthenticated
|
||||||
my $prompt = $oidc_request->{'prompt'};
|
my $prompt = $oidc_request->{'prompt'};
|
||||||
if (
|
if (
|
||||||
|
@ -334,6 +337,7 @@ sub run {
|
||||||
$self->logger->debug(
|
$self->logger->debug(
|
||||||
"Reauthentication required by Relying Party in prompt parameter"
|
"Reauthentication required by Relying Party in prompt parameter"
|
||||||
);
|
);
|
||||||
|
$req->pdata->{targetAuthnLevel} = $spAuthnLevel;
|
||||||
return $self->reAuth($req);
|
return $self->reAuth($req);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -343,9 +347,23 @@ sub run {
|
||||||
$self->logger->debug(
|
$self->logger->debug(
|
||||||
"Reauthentication forced because authentication time ($_lastAuthnUTime) is too old (>$max_age s)"
|
"Reauthentication forced because authentication time ($_lastAuthnUTime) is too old (>$max_age s)"
|
||||||
);
|
);
|
||||||
|
$req->pdata->{targetAuthnLevel} = $spAuthnLevel;
|
||||||
return $self->reAuth($req);
|
return $self->reAuth($req);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Check if we have sufficient auth level
|
||||||
|
my $authenticationLevel =
|
||||||
|
$req->{sessionInfo}->{authenticationLevel} || 0;
|
||||||
|
if ( $authenticationLevel < $spAuthnLevel ) {
|
||||||
|
$self->logger->debug(
|
||||||
|
"Insufficient authentication level for service $rp"
|
||||||
|
. " (has: $authenticationLevel, want: $spAuthnLevel)" );
|
||||||
|
|
||||||
|
# Reauth with sp auth level as target
|
||||||
|
$req->pdata->{targetAuthnLevel} = $spAuthnLevel;
|
||||||
|
return $self->upgradeAuth($req);
|
||||||
|
}
|
||||||
|
|
||||||
# Check scope validity
|
# Check scope validity
|
||||||
# We use a slightly more relaxed version of
|
# We use a slightly more relaxed version of
|
||||||
# https://tools.ietf.org/html/rfc6749#appendix-A.4
|
# https://tools.ietf.org/html/rfc6749#appendix-A.4
|
||||||
|
@ -2162,6 +2180,12 @@ sub exportRequestParameters {
|
||||||
if ( $req->param('client_id') ) {
|
if ( $req->param('client_id') ) {
|
||||||
my $rp = $self->getRP( $req->param('client_id') );
|
my $rp = $self->getRP( $req->param('client_id') );
|
||||||
$req->env->{"llng_oidc_rp"} = $rp if $rp;
|
$req->env->{"llng_oidc_rp"} = $rp if $rp;
|
||||||
|
|
||||||
|
# Store target authentication level in pdata
|
||||||
|
my $targetAuthnLevel = $self->conf->{oidcRPMetaDataOptions}->{$rp}
|
||||||
|
->{oidcRPMetaDataOptionsAuthnLevel};
|
||||||
|
$req->pdata->{targetAuthnLevel} = $targetAuthnLevel
|
||||||
|
if $targetAuthnLevel;
|
||||||
}
|
}
|
||||||
|
|
||||||
return PE_OK;
|
return PE_OK;
|
||||||
|
|
|
@ -185,6 +185,13 @@ sub storeEnv {
|
||||||
$req->env->{llng_saml_sp} = $sp;
|
$req->env->{llng_saml_sp} = $sp;
|
||||||
if ( my $spConfKey = $self->spList->{$sp}->{confKey} ) {
|
if ( my $spConfKey = $self->spList->{$sp}->{confKey} ) {
|
||||||
$req->env->{llng_saml_spconfkey} = $spConfKey;
|
$req->env->{llng_saml_spconfkey} = $spConfKey;
|
||||||
|
|
||||||
|
# Store target authentication level in pdata
|
||||||
|
my $targetAuthnLevel =
|
||||||
|
$self->conf->{samlSPMetaDataOptions}->{$spConfKey}
|
||||||
|
->{samlSPMetaDataOptionsAuthnLevel};
|
||||||
|
$req->pdata->{targetAuthnLevel} = $targetAuthnLevel
|
||||||
|
if $targetAuthnLevel;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return PE_OK;
|
return PE_OK;
|
||||||
|
@ -389,6 +396,7 @@ sub run {
|
||||||
$self->logger->debug("$sp match $spConfKey SP in configuration");
|
$self->logger->debug("$sp match $spConfKey SP in configuration");
|
||||||
$req->env->{llng_saml_spconfkey} = $spConfKey;
|
$req->env->{llng_saml_spconfkey} = $spConfKey;
|
||||||
|
|
||||||
|
# Check access rule
|
||||||
if ( my $rule = $self->spRules->{$spConfKey} ) {
|
if ( my $rule = $self->spRules->{$spConfKey} ) {
|
||||||
unless ( $rule->( $req, $req->sessionInfo ) ) {
|
unless ( $rule->( $req, $req->sessionInfo ) ) {
|
||||||
$self->userLogger->warn( 'User '
|
$self->userLogger->warn( 'User '
|
||||||
|
@ -450,6 +458,10 @@ sub run {
|
||||||
|
|
||||||
$self->logger->debug("SSO: authentication request is valid");
|
$self->logger->debug("SSO: authentication request is valid");
|
||||||
|
|
||||||
|
my $spAuthnLevel =
|
||||||
|
$self->conf->{samlSPMetaDataOptions}->{$spConfKey}
|
||||||
|
->{samlSPMetaDataOptionsAuthnLevel} || 0;
|
||||||
|
|
||||||
# Get ForceAuthn flag
|
# Get ForceAuthn flag
|
||||||
my $force_authn;
|
my $force_authn;
|
||||||
|
|
||||||
|
@ -477,6 +489,7 @@ sub run {
|
||||||
. $req->sessionInfo->{ $self->conf->{whatToTrace} } );
|
. $req->sessionInfo->{ $self->conf->{whatToTrace} } );
|
||||||
|
|
||||||
# Replay authentication process
|
# Replay authentication process
|
||||||
|
$req->pdata->{targetAuthnLevel} = $spAuthnLevel;
|
||||||
return $self->reAuth($req);
|
return $self->reAuth($req);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -486,9 +499,18 @@ sub run {
|
||||||
unless ( $self->checkDestination( $login->request, $url ) );
|
unless ( $self->checkDestination( $login->request, $url ) );
|
||||||
}
|
}
|
||||||
|
|
||||||
# Map authenticationLevel with SAML2 authentication context
|
# Check if we have sufficient auth level
|
||||||
my $authenticationLevel =
|
my $authenticationLevel =
|
||||||
$req->{sessionInfo}->{authenticationLevel};
|
$req->{sessionInfo}->{authenticationLevel} || 0;
|
||||||
|
if ( $authenticationLevel < $spAuthnLevel ) {
|
||||||
|
$self->logger->debug(
|
||||||
|
"Insufficient authentication level for service $spConfKey"
|
||||||
|
. " (has: $authenticationLevel, want: $spAuthnLevel)" );
|
||||||
|
|
||||||
|
# Reauth with sp auth level as target
|
||||||
|
$req->pdata->{targetAuthnLevel} = $spAuthnLevel;
|
||||||
|
return $self->upgradeAuth($req);
|
||||||
|
}
|
||||||
|
|
||||||
$authn_context =
|
$authn_context =
|
||||||
$self->authnLevel2authnContext($authenticationLevel);
|
$self->authnLevel2authnContext($authenticationLevel);
|
||||||
|
|
|
@ -8,7 +8,7 @@ use Lemonldap::NG::Portal::Main::Constants
|
||||||
|
|
||||||
extends 'Lemonldap::NG::Common::Module';
|
extends 'Lemonldap::NG::Common::Module';
|
||||||
|
|
||||||
our $VERSION = '2.0.6';
|
our $VERSION = '2.0.9';
|
||||||
|
|
||||||
# PROPERTIES
|
# PROPERTIES
|
||||||
|
|
||||||
|
|
|
@ -12,7 +12,7 @@ use Unicode::String qw(utf8);
|
||||||
use Scalar::Util 'weaken';
|
use Scalar::Util 'weaken';
|
||||||
use utf8;
|
use utf8;
|
||||||
|
|
||||||
our $VERSION = '2.0.8';
|
our $VERSION = '2.0.9';
|
||||||
our $ppLoaded = 0;
|
our $ppLoaded = 0;
|
||||||
|
|
||||||
BEGIN {
|
BEGIN {
|
||||||
|
@ -52,21 +52,37 @@ sub new {
|
||||||
( $conf->{ldapTimeout} ? ( timeout => $conf->{ldapTimeout} ) : () ),
|
( $conf->{ldapTimeout} ? ( timeout => $conf->{ldapTimeout} ) : () ),
|
||||||
( $conf->{ldapVersion} ? ( version => $conf->{ldapVersion} ) : () ),
|
( $conf->{ldapVersion} ? ( version => $conf->{ldapVersion} ) : () ),
|
||||||
( $conf->{ldapRaw} ? ( raw => $conf->{ldapRaw} ) : () ),
|
( $conf->{ldapRaw} ? ( raw => $conf->{ldapRaw} ) : () ),
|
||||||
( $conf->{caFile} ? ( cafile => $conf->{caFile} ) : () ),
|
( $conf->{ldapCAFile} ? ( cafile => $conf->{ldapCAFile} ) : () ),
|
||||||
( $conf->{caPath} ? ( capath => $conf->{caPath} ) : () ),
|
( $conf->{ldapCAPath} ? ( capath => $conf->{ldapCAPath} ) : () ),
|
||||||
|
( $conf->{ldapVerify} ? ( verify => $conf->{ldapVerify} ) : () ),
|
||||||
);
|
);
|
||||||
unless ($self) {
|
unless ($self) {
|
||||||
$portal->logger->error($@);
|
$portal->logger->error($@);
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
elsif ( $Net::LDAP::VERSION < '0.64' ) {
|
||||||
|
|
||||||
|
# CentOS7 has a bug in which IO::Socket::SSL will return a broken
|
||||||
|
# socket when certificate validation fails. Net::LDAP does not catch
|
||||||
|
# it, and the process ends up crashing.
|
||||||
|
# As a precaution, make sure the underlying socket is doing fine:
|
||||||
|
if ( $self->socket->isa('IO::Socket::SSL')
|
||||||
|
and $self->socket->errstr < 0 )
|
||||||
|
{
|
||||||
|
$portal->logger->error(
|
||||||
|
"SSL connection error: " . $self->socket->errstr );
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
}
|
||||||
bless $self, $class;
|
bless $self, $class;
|
||||||
if ($useTls) {
|
if ($useTls) {
|
||||||
my %h = split( /[&=]/, $tlsParam );
|
my %h = split( /[&=]/, $tlsParam );
|
||||||
$h{cafile} = $conf->{caFile} if ( $conf->{caFile} );
|
$h{cafile} ||= $conf->{ldapCAFile} if ( $conf->{ldapCAFile} );
|
||||||
$h{capath} = $conf->{caPath} if ( $conf->{caPath} );
|
$h{capath} ||= $conf->{ldapCAPath} if ( $conf->{ldapCAPath} );
|
||||||
|
$h{verify} ||= $conf->{ldapVerify} if ( $conf->{ldapVerify} );
|
||||||
my $mesg = $self->start_tls(%h);
|
my $mesg = $self->start_tls(%h);
|
||||||
if ( $mesg->code ) {
|
if ( $mesg->code ) {
|
||||||
$portal->logger->error('StartTLS failed');
|
$portal->logger->error( 'StartTLS failed: ' . $mesg->error );
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -180,7 +196,8 @@ sub userBind {
|
||||||
# Return direct unless control resonse
|
# Return direct unless control resonse
|
||||||
unless ( defined $resp ) {
|
unless ( defined $resp ) {
|
||||||
if ( $mesg->code == 49 ) {
|
if ( $mesg->code == 49 ) {
|
||||||
$self->{portal}->userLogger->warn("Bad password for $req->{user} (".$req->address.")");
|
$self->{portal}->userLogger->warn(
|
||||||
|
"Bad password for $req->{user} (" . $req->address . ")" );
|
||||||
return PE_BADCREDENTIALS;
|
return PE_BADCREDENTIALS;
|
||||||
}
|
}
|
||||||
elsif ( $mesg->code == 0 ) {
|
elsif ( $mesg->code == 0 ) {
|
||||||
|
@ -262,7 +279,8 @@ sub userBind {
|
||||||
$req->data->{ldapError} = $mesg->error;
|
$req->data->{ldapError} = $mesg->error;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
$self->{portal}->userLogger->warn("Bad password for $req->{user} (".$req->address.")");
|
$self->{portal}->userLogger->warn(
|
||||||
|
"Bad password for $req->{user} (" . $req->address . ")" );
|
||||||
return PE_BADCREDENTIALS;
|
return PE_BADCREDENTIALS;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -679,6 +697,9 @@ sub searchGroups {
|
||||||
|
|
||||||
# Launch group search
|
# Launch group search
|
||||||
if ($group_value) {
|
if ($group_value) {
|
||||||
|
if ( $self->{conf}->{ldapGroupDecodeSearchedValue} ) {
|
||||||
|
utf8::decode($group_value);
|
||||||
|
}
|
||||||
|
|
||||||
if ( $dupcheck->{$group_value} ) {
|
if ( $dupcheck->{$group_value} ) {
|
||||||
$self->{portal}->logger->debug(
|
$self->{portal}->logger->debug(
|
||||||
|
|
|
@ -5,7 +5,7 @@ use Mouse;
|
||||||
use JSON qw(from_json);
|
use JSON qw(from_json);
|
||||||
use POSIX qw(strftime);
|
use POSIX qw(strftime);
|
||||||
|
|
||||||
our $VERSION = '2.0.8';
|
our $VERSION = '2.0.9';
|
||||||
|
|
||||||
no warnings 'redefine';
|
no warnings 'redefine';
|
||||||
|
|
||||||
|
|
|
@ -6,7 +6,7 @@ use XML::LibXML;
|
||||||
use XML::LibXSLT;
|
use XML::LibXSLT;
|
||||||
use POSIX qw(strftime);
|
use POSIX qw(strftime);
|
||||||
|
|
||||||
our $VERSION = '2.0.8';
|
our $VERSION = '2.0.9';
|
||||||
|
|
||||||
# Lemonldap::NG::Portal::Main::Plugin provides addAuthRoute() and
|
# Lemonldap::NG::Portal::Main::Plugin provides addAuthRoute() and
|
||||||
# addUnauthRoute() methods in addition of Lemonldap::NG::Common::Module.
|
# addUnauthRoute() methods in addition of Lemonldap::NG::Common::Module.
|
||||||
|
|
|
@ -21,7 +21,7 @@ use Lemonldap::NG::Portal::Main::Constants qw(
|
||||||
PE_SAML_SLO_ERROR
|
PE_SAML_SLO_ERROR
|
||||||
);
|
);
|
||||||
|
|
||||||
our $VERSION = '2.0.8';
|
our $VERSION = '2.0.9';
|
||||||
|
|
||||||
# PROPERTIES
|
# PROPERTIES
|
||||||
|
|
||||||
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user