Merge branch 'v2.0'

2020-04-03 11:21:56 +02:00 · 2020-04-03 11:21:56 +02:00 · 28dc89796c
parent be55df6d1d e51e962eb4
commit 28dc89796c
45 changed files with 631 additions and 261 deletions
--- a/8
+++ b/8
@ -207,15 +207,21 @@ MANAGERJSONSRC= scripts/jsongenerator.pl \
 		$(SRCMANAGERDIR)/lib/Lemonldap/NG/Manager/Build/Attributes.pm \
 		$(SRCMANAGERDIR)/lib/Lemonldap/NG/Manager/Build/Tree.pm \
 		$(SRCMANAGERDIR)/lib/Lemonldap/NG/Manager/Build/CTrees.pm \
-		$(SRCMANAGERDIR)/lib/Lemonldap/NG/Manager/Conf/Zero.pm
+		$(SRCMANAGERDIR)/lib/Lemonldap/NG/Manager/Conf/Zero.pm \
+		$(SRCMANAGERDIR)/lib/Lemonldap/NG/Manager/Build/PortalConstants.pm
 MANAGERJSONDST=$(SRCMANAGERDIR)/site/htdocs/static/struct.json \
+		$(SRCMANAGERDIR)/site/htdocs/static/reverseTree.json \
 		$(SRCMANAGERDIR)/site/htdocs/static/js/conftree.js \
 		$(SRCMANAGERDIR)/lib/Lemonldap/NG/Manager/Attributes.pm \
 		$(SRCCOMMONDIR)/lib/Lemonldap/NG/Common/Conf/ReConstants.pm \
 		$(SRCCOMMONDIR)/lib/Lemonldap/NG/Common/Conf/DefaultValues.pm \
 		$(SRCCOMMONDIR)/lib/Lemonldap/NG/Common/Conf/Constants.pm \
+		$(SRCPORTALDIR)/lib/Lemonldap/NG/Portal/Main/Constants.pm \
+		$(SRCHANDLERDIR)/lib/Lemonldap/NG/Handler/Lib/StatusConstants.pm \
 		_example/conf/lmConf-1.json

+
+
 # Javascript and CSS to minify
 JSSRCFILES:=$(shell find */site/htdocs/static/js $(SRCPORTALDIR)/site/htdocs/static -type f -name '*.js' ! -name '*.min.js') \
 		$(SRCMANAGERDIR)/site/htdocs/static/bwr/file-saver.js/FileSaver.js
--- a/e2e-tests/lemonldap-ng.ini
+++ b/e2e-tests/lemonldap-ng.ini
@ -27,6 +27,7 @@ templateDir  = __pwd__/lemonldap-ng-portal/site/templates
 portalStatus = 1
 totp2fActivation = 1
 totp2fSelfRegistration = 1
+totp2fIssuer = LLNG_Demo
 captcha_mail_enabled = 0
 portalDisplayResetPassword = 1
 ;pdataDomain = example.com
--- a/fastcgi-server/man/llng-fastcgi-server.8p
+++ b/fastcgi-server/man/llng-fastcgi-server.8p
@ -129,7 +129,11 @@
 .\" ========================================================================
 .\"
 .IX Title "llng-fastcgi-server 8"
+<<<<<<< HEAD
 .TH llng-fastcgi-server 8 "2020-04-03" "perl v5.26.1" "User Contributed Perl Documentation"
+=======
+.TH llng-fastcgi-server 8 "2020-04-01" "perl v5.26.1" "User Contributed Perl Documentation"
+>>>>>>> v2.0
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
--- a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/DefaultValues.pm
+++ b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/DefaultValues.pm
@ -221,8 +221,11 @@ sub defaultValues {
        'passwordPolicyMinDigit'              => 0,
        'passwordPolicyMinLower'              => 0,
        'passwordPolicyMinSize'               => 0,
+        'passwordPolicyMinSpeChar'            => 0,
        'passwordPolicyMinUpper'              => 0,
-        'passwordResetAllowedRetries'         => 3,
+        'passwordPolicySpecialChar' =>
+          '! @ # $ % & * ( ) - = + [ ] { } ; : , . / ?',
+        'passwordResetAllowedRetries' => 3,
        'persistentSessionAttributes' =>
          '_loginHistory _2fDevices notification_',
        'port'                                => -1,
--- a/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Lib/StatusConstants.pm
+++ b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Lib/StatusConstants.pm
@ -8,101 +8,103 @@ our $VERSION = '2.1.0';

 sub portalConsts {
    return {
-        '-1' => 'PE_DONE',
-        '-2' => 'PE_REDIRECT',
-        '-3' => 'PE_INFO',
-        '-4' => 'PE_SENDRESPONSE',
-        '-5' => 'PE_IDPCHOICE',
-        '-6' => 'PE_PASSWORD_OK',
-        '-7' => 'PE_LOGOUT_OK',
-        '0'  => 'PE_OK',
-        '1'  => 'PE_SESSIONEXPIRED',
-        '10' => 'PE_BADCERTIFICATE',
-        '2'  => 'PE_FORMEMPTY',
-        '21' => 'PE_PP_ACCOUNT_LOCKED',
-        '22' => 'PE_PP_PASSWORD_EXPIRED',
-        '23' => 'PE_CERTIFICATEREQUIRED',
-        '24' => 'PE_ERROR',
-        '25' => 'PE_PP_CHANGE_AFTER_RESET',
-        '26' => 'PE_PP_PASSWORD_MOD_NOT_ALLOWED',
-        '27' => 'PE_PP_MUST_SUPPLY_OLD_PASSWORD',
-        '28' => 'PE_PP_INSUFFICIENT_PASSWORD_QUALITY',
-        '29' => 'PE_PP_PASSWORD_TOO_SHORT',
-        '3'  => 'PE_WRONGMANAGERACCOUNT',
-        '30' => 'PE_PP_PASSWORD_TOO_YOUNG',
-        '31' => 'PE_PP_PASSWORD_IN_HISTORY',
-        '32' => 'PE_PP_GRACE',
-        '33' => 'PE_PP_EXP_WARNING',
-        '34' => 'PE_PASSWORD_MISMATCH',
-        '36' => 'PE_NOTIFICATION',
-        '37' => 'PE_BADURL',
-        '38' => 'PE_NOSCHEME',
-        '39' => 'PE_BADOLDPASSWORD',
-        '4'  => 'PE_USERNOTFOUND',
-        '40' => 'PE_MALFORMEDUSER',
-        '41' => 'PE_SESSIONNOTGRANTED',
-        '42' => 'PE_CONFIRM',
-        '43' => 'PE_MAILFORMEMPTY',
-        '44' => 'PE_BADMAILTOKEN',
-        '45' => 'PE_MAILERROR',
-        '46' => 'PE_MAILOK',
-        '48' => 'PE_SAML_ERROR',
-        '49' => 'PE_SAML_LOAD_SERVICE_ERROR',
-        '5'  => 'PE_BADCREDENTIALS',
-        '50' => 'PE_SAML_LOAD_IDP_ERROR',
-        '51' => 'PE_SAML_SSO_ERROR',
-        '52' => 'PE_SAML_UNKNOWN_ENTITY',
-        '53' => 'PE_SAML_DESTINATION_ERROR',
-        '54' => 'PE_SAML_CONDITIONS_ERROR',
-        '55' => 'PE_SAML_IDPSSOINITIATED_NOTALLOWED',
-        '56' => 'PE_SAML_SLO_ERROR',
-        '57' => 'PE_SAML_SIGNATURE_ERROR',
-        '58' => 'PE_SAML_ART_ERROR',
-        '59' => 'PE_SAML_SESSION_ERROR',
-        '6'  => 'PE_LDAPCONNECTFAILED',
-        '60' => 'PE_SAML_LOAD_SP_ERROR',
-        '61' => 'PE_SAML_ATTR_ERROR',
-        '62' => 'PE_OPENID_EMPTY',
-        '63' => 'PE_OPENID_BADID',
-        '64' => 'PE_MISSINGREQATTR',
-        '65' => 'PE_BADPARTNER',
-        '66' => 'PE_MAILCONFIRMATION_ALREADY_SENT',
-        '67' => 'PE_PASSWORDFORMEMPTY',
-        '68' => 'PE_CAS_SERVICE_NOT_ALLOWED',
-        '69' => 'PE_MAILFIRSTACCESS',
-        '7'  => 'PE_LDAPERROR',
-        '70' => 'PE_MAILNOTFOUND',
-        '71' => 'PE_PASSWORDFIRSTACCESS',
-        '72' => 'PE_MAILCONFIRMOK',
-        '73' => 'PE_RADIUSCONNECTFAILED',
-        '74' => 'PE_MUST_SUPPLY_OLD_PASSWORD',
-        '75' => 'PE_FORBIDDENIP',
-        '76' => 'PE_CAPTCHAERROR',
-        '77' => 'PE_CAPTCHAEMPTY',
-        '78' => 'PE_REGISTERFIRSTACCESS',
-        '79' => 'PE_REGISTERFORMEMPTY',
-        '8'  => 'PE_APACHESESSIONERROR',
-        '80' => 'PE_REGISTERALREADYEXISTS',
-        '81' => 'PE_NOTOKEN',
-        '82' => 'PE_TOKENEXPIRED',
-        '83' => 'PE_U2FFAILED',
-        '84' => 'PE_UNAUTHORIZEDPARTNER',
-        '85' => 'PE_RENEWSESSION',
-        '86' => 'PE_WAIT',
-        '87' => 'PE_MUSTAUTHN',
-        '88' => 'PE_MUSTHAVEMAIL',
-        '89' => 'PE_SAML_SERVICE_NOT_ALLOWED',
-        '9'  => 'PE_FIRSTACCESS',
-        '90' => 'PE_OIDC_SERVICE_NOT_ALLOWED',
-        '91' => 'PE_OID_SERVICE_NOT_ALLOWED',
-        '92' => 'PE_GET_SERVICE_NOT_ALLOWED',
-        '93' => 'PE_IMPERSONATION_SERVICE_NOT_ALLOWED',
-        '94' => 'PE_ISSUERMISSINGREQATTR',
-        '95' => 'PE_DECRYPTVALUE_SERVICE_NOT_ALLOWED',
-        '96' => 'PE_BADOTP',
-        '97' => 'PE_RESETCERTIFICATE_INVALID',
-        '98' => 'PE_RESETCERTIFICATE_FORMEMPTY',
-        '99' => 'PE_RESETCERTIFICATE_FIRSTACCESS'
+        '-1'  => 'PE_DONE',
+        '-2'  => 'PE_REDIRECT',
+        '-3'  => 'PE_INFO',
+        '-4'  => 'PE_SENDRESPONSE',
+        '-5'  => 'PE_IDPCHOICE',
+        '-6'  => 'PE_PASSWORD_OK',
+        '-7'  => 'PE_LOGOUT_OK',
+        '0'   => 'PE_OK',
+        '1'   => 'PE_SESSIONEXPIRED',
+        '10'  => 'PE_BADCERTIFICATE',
+        '100' => 'PE_PP_NOT_ALLOWED_CHARACTER',
+        '101' => 'PE_PP_NOT_ALLOWED_CHARACTERS',
+        '2'   => 'PE_FORMEMPTY',
+        '21'  => 'PE_PP_ACCOUNT_LOCKED',
+        '22'  => 'PE_PP_PASSWORD_EXPIRED',
+        '23'  => 'PE_CERTIFICATEREQUIRED',
+        '24'  => 'PE_ERROR',
+        '25'  => 'PE_PP_CHANGE_AFTER_RESET',
+        '26'  => 'PE_PP_PASSWORD_MOD_NOT_ALLOWED',
+        '27'  => 'PE_PP_MUST_SUPPLY_OLD_PASSWORD',
+        '28'  => 'PE_PP_INSUFFICIENT_PASSWORD_QUALITY',
+        '29'  => 'PE_PP_PASSWORD_TOO_SHORT',
+        '3'   => 'PE_WRONGMANAGERACCOUNT',
+        '30'  => 'PE_PP_PASSWORD_TOO_YOUNG',
+        '31'  => 'PE_PP_PASSWORD_IN_HISTORY',
+        '32'  => 'PE_PP_GRACE',
+        '33'  => 'PE_PP_EXP_WARNING',
+        '34'  => 'PE_PASSWORD_MISMATCH',
+        '36'  => 'PE_NOTIFICATION',
+        '37'  => 'PE_BADURL',
+        '38'  => 'PE_NOSCHEME',
+        '39'  => 'PE_BADOLDPASSWORD',
+        '4'   => 'PE_USERNOTFOUND',
+        '40'  => 'PE_MALFORMEDUSER',
+        '41'  => 'PE_SESSIONNOTGRANTED',
+        '42'  => 'PE_CONFIRM',
+        '43'  => 'PE_MAILFORMEMPTY',
+        '44'  => 'PE_BADMAILTOKEN',
+        '45'  => 'PE_MAILERROR',
+        '46'  => 'PE_MAILOK',
+        '48'  => 'PE_SAML_ERROR',
+        '49'  => 'PE_SAML_LOAD_SERVICE_ERROR',
+        '5'   => 'PE_BADCREDENTIALS',
+        '50'  => 'PE_SAML_LOAD_IDP_ERROR',
+        '51'  => 'PE_SAML_SSO_ERROR',
+        '52'  => 'PE_SAML_UNKNOWN_ENTITY',
+        '53'  => 'PE_SAML_DESTINATION_ERROR',
+        '54'  => 'PE_SAML_CONDITIONS_ERROR',
+        '55'  => 'PE_SAML_IDPSSOINITIATED_NOTALLOWED',
+        '56'  => 'PE_SAML_SLO_ERROR',
+        '57'  => 'PE_SAML_SIGNATURE_ERROR',
+        '58'  => 'PE_SAML_ART_ERROR',
+        '59'  => 'PE_SAML_SESSION_ERROR',
+        '6'   => 'PE_LDAPCONNECTFAILED',
+        '60'  => 'PE_SAML_LOAD_SP_ERROR',
+        '61'  => 'PE_SAML_ATTR_ERROR',
+        '62'  => 'PE_OPENID_EMPTY',
+        '63'  => 'PE_OPENID_BADID',
+        '64'  => 'PE_MISSINGREQATTR',
+        '65'  => 'PE_BADPARTNER',
+        '66'  => 'PE_MAILCONFIRMATION_ALREADY_SENT',
+        '67'  => 'PE_PASSWORDFORMEMPTY',
+        '68'  => 'PE_CAS_SERVICE_NOT_ALLOWED',
+        '69'  => 'PE_MAILFIRSTACCESS',
+        '7'   => 'PE_LDAPERROR',
+        '70'  => 'PE_MAILNOTFOUND',
+        '71'  => 'PE_PASSWORDFIRSTACCESS',
+        '72'  => 'PE_MAILCONFIRMOK',
+        '73'  => 'PE_RADIUSCONNECTFAILED',
+        '74'  => 'PE_MUST_SUPPLY_OLD_PASSWORD',
+        '75'  => 'PE_FORBIDDENIP',
+        '76'  => 'PE_CAPTCHAERROR',
+        '77'  => 'PE_CAPTCHAEMPTY',
+        '78'  => 'PE_REGISTERFIRSTACCESS',
+        '79'  => 'PE_REGISTERFORMEMPTY',
+        '8'   => 'PE_APACHESESSIONERROR',
+        '80'  => 'PE_REGISTERALREADYEXISTS',
+        '81'  => 'PE_NOTOKEN',
+        '82'  => 'PE_TOKENEXPIRED',
+        '83'  => 'PE_U2FFAILED',
+        '84'  => 'PE_UNAUTHORIZEDPARTNER',
+        '85'  => 'PE_RENEWSESSION',
+        '86'  => 'PE_WAIT',
+        '87'  => 'PE_MUSTAUTHN',
+        '88'  => 'PE_MUSTHAVEMAIL',
+        '89'  => 'PE_SAML_SERVICE_NOT_ALLOWED',
+        '9'   => 'PE_FIRSTACCESS',
+        '90'  => 'PE_OIDC_SERVICE_NOT_ALLOWED',
+        '91'  => 'PE_OID_SERVICE_NOT_ALLOWED',
+        '92'  => 'PE_GET_SERVICE_NOT_ALLOWED',
+        '93'  => 'PE_IMPERSONATION_SERVICE_NOT_ALLOWED',
+        '94'  => 'PE_ISSUERMISSINGREQATTR',
+        '95'  => 'PE_DECRYPTVALUE_SERVICE_NOT_ALLOWED',
+        '96'  => 'PE_BADOTP',
+        '97'  => 'PE_RESETCERTIFICATE_INVALID',
+        '98'  => 'PE_RESETCERTIFICATE_FORMEMPTY',
+        '99'  => 'PE_RESETCERTIFICATE_FIRSTACCESS'
    };

 }
--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm
+++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm
@ -2436,10 +2436,19 @@ qr/^(?:\*\.)?(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][
            'default' => 0,
            'type'    => 'int'
        },
+        'passwordPolicyMinSpeChar' => {
+            'default' => 0,
+            'type'    => 'int'
+        },
        'passwordPolicyMinUpper' => {
            'default' => 0,
            'type'    => 'int'
        },
+        'passwordPolicySpecialChar' => {
+            'default' => '! @ # $ % & * ( ) - = + [ ] { } ; : , . / ?',
+            'test'    => qr/^[\s\W_]*$/,
+            'type'    => 'text'
+        },
        'passwordResetAllowedRetries' => {
            'default' => 3,
            'type'    => 'int'
--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm
+++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm
@ -1446,6 +1446,17 @@ sub attributes {
            type          => 'int',
            documentation => 'Password policy: minimal digit characters',
        },
+        passwordPolicyMinSpeChar => {
+            default       => 0,
+            type          => 'int',
+            documentation => 'Password policy: minimal special characters',
+        },
+        passwordPolicySpecialChar => {
+            default       => '! @ # $ % & * ( ) - = + [ ] { } ; : , . / ?',
+            type          => 'text',
+            test          => qr/^[\s\W_]*$/,
+            documentation => 'Password policy: allowed special characters',
+        },
        portalDisplayPasswordPolicy => {
            default       => 0,
            type          => 'bool',
--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/PortalConstants.pm
+++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/PortalConstants.pm
@ -107,6 +107,8 @@ sub portalConstants {
        PE_RESETCERTIFICATE_INVALID          => 97,
        PE_RESETCERTIFICATE_FORMEMPTY        => 98,
        PE_RESETCERTIFICATE_FIRSTACCESS      => 99,
+        PE_PP_NOT_ALLOWED_CHARACTER          => 100,
+        PE_PP_NOT_ALLOWED_CHARACTERS         => 101
    };
 }

--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Tree.pm
+++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Tree.pm
@ -92,6 +92,8 @@ sub tree {
                                        'passwordPolicyMinLower',
                                        'passwordPolicyMinUpper',
                                        'passwordPolicyMinDigit',
+                                        'passwordPolicyMinSpeChar',
+                                        'passwordPolicySpecialChar',
                                        'portalDisplayPasswordPolicy',
                                    ]
                                },
--- a/lemonldap-ng-manager/site/htdocs/static/languages/ar.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/ar.json
@ -681,6 +681,8 @@
 "passwordPolicyMinLower":"Minimal lower characters",
 "passwordPolicyMinUpper":"Minimal upper characters",
 "passwordPolicyMinDigit":"Minimal digit characters",
+"passwordPolicyMinSpeChar":"Minimal special characters",
+"passwordPolicySpecialChar":"Allowed special characters",
 "passwordResetAllowedRetries":"Max reset password retries",
 "persistent":"الثابتة",
 "persistentSessions":"الجلسات الثابتة",
--- a/lemonldap-ng-manager/site/htdocs/static/languages/de.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/de.json
@ -681,6 +681,8 @@
 "passwordPolicyMinLower":"Minimal lower characters",
 "passwordPolicyMinUpper":"Minimal upper characters",
 "passwordPolicyMinDigit":"Minimal digit characters",
+"passwordPolicyMinSpeChar":"Minimal special characters",
+"passwordPolicySpecialChar":"Allowed special characters",
 "passwordResetAllowedRetries":"Max reset password retries",
 "persistent":"Persistent",
 "persistentSessions":"Persistent sessions",
--- a/lemonldap-ng-manager/site/htdocs/static/languages/en.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/en.json
@ -681,6 +681,8 @@
 "passwordPolicyMinLower": "Minimal lower characters",
 "passwordPolicyMinUpper": "Minimal upper characters",
 "passwordPolicyMinDigit": "Minimal digit characters",
+"passwordPolicyMinSpeChar":"Minimal special characters",
+"passwordPolicySpecialChar":"Allowed special characters",
 "passwordResetAllowedRetries":"Max reset password retries",
 "persistent":"Persistent",
 "persistentSessions":"Persistent sessions",
--- a/lemonldap-ng-manager/site/htdocs/static/languages/fr.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/fr.json
@ -681,6 +681,8 @@
 "passwordPolicyMinLower": "Minimum de minuscules",
 "passwordPolicyMinUpper": "Minimum de majuscules",
 "passwordPolicyMinDigit": "Minimum de chiffres",
+"passwordPolicyMinSpeChar":"Minimum de caractètes spéciaux",
+"passwordPolicySpecialChar":"Caractètes spéciaux autorisés",
 "passwordResetAllowedRetries":"Nombre d'essais pour réinitialiser le mot de passe",
 "persistent":"Persistantes",
 "persistentSessions":"Sessions persistantes",
--- a/lemonldap-ng-manager/site/htdocs/static/languages/it.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/it.json
@ -681,6 +681,8 @@
 "passwordPolicyMinLower":"Minimal lower characters",
 "passwordPolicyMinUpper":"Minimal upper characters",
 "passwordPolicyMinDigit":"Minimal digit characters",
+"passwordPolicyMinSpeChar":"Minimal special characters",
+"passwordPolicySpecialChar":"Allowed special characters",
 "passwordResetAllowedRetries":"Max tentativi di reimpostazione della password",
 "persistent":"Persistente",
 "persistentSessions":"Sessioni persistenti",
--- a/lemonldap-ng-manager/site/htdocs/static/languages/tr.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/tr.json
@ -681,6 +681,8 @@
 "passwordPolicyMinLower":"Minimum küçük harf karakter sayısı",
 "passwordPolicyMinUpper":"Minimum büyük harf karakter sayısı",
 "passwordPolicyMinDigit":"Minimum rakam karakter sayısı",
+"passwordPolicyMinSpeChar":"Minimal special characters",
+"passwordPolicySpecialChar":"Allowed special characters",
 "passwordResetAllowedRetries":"Maksimum parola sıfırlama denemesi",
 "persistent":"Kalıcı",
 "persistentSessions":"Kalıcı oturumlar",
--- a/lemonldap-ng-manager/site/htdocs/static/languages/vi.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/vi.json
@ -681,6 +681,8 @@
 "passwordPolicyMinLower":"Minimal lower characters",
 "passwordPolicyMinUpper":"Minimal upper characters",
 "passwordPolicyMinDigit":"Minimal digit characters",
+"passwordPolicyMinSpeChar":"Minimal special characters",
+"passwordPolicySpecialChar":"Allowed special characters",
 "passwordResetAllowedRetries":"Max reset password retries",
 "persistent":"Duy trì",
 "persistentSessions":"Duy trì phiên",
--- a/lemonldap-ng-manager/site/htdocs/static/languages/zh.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/zh.json
@ -681,6 +681,8 @@
 "passwordPolicyMinLower":"Minimal lower characters",
 "passwordPolicyMinUpper":"Minimal upper characters",
 "passwordPolicyMinDigit":"Minimal digit characters",
+"passwordPolicyMinSpeChar":"Minimal special characters",
+"passwordPolicySpecialChar":"Allowed special characters",
 "passwordResetAllowedRetries":"Max reset password retries",
 "persistent":"Persistent",
 "persistentSessions":"Persistent sessions",
--- a/lemonldap-ng-manager/site/htdocs/static/reverseTree.json
+++ b/lemonldap-ng-manager/site/htdocs/static/reverseTree.json
--- a/lemonldap-ng-manager/site/htdocs/static/struct.json
+++ b/lemonldap-ng-manager/site/htdocs/static/struct.json
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Constants.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Constants.pm
@ -103,105 +103,109 @@ use constant {
    PE_RESETCERTIFICATE_INVALID          => 97,
    PE_RESETCERTIFICATE_FORMEMPTY        => 98,
    PE_RESETCERTIFICATE_FIRSTACCESS      => 99,
+    PE_PP_NOT_ALLOWED_CHARACTER          => 100,
+    PE_PP_NOT_ALLOWED_CHARACTERS         => 101,
 };

 sub portalConsts {
    return {
-        '-1' => 'PE_DONE',
-        '-2' => 'PE_REDIRECT',
-        '-3' => 'PE_INFO',
-        '-4' => 'PE_SENDRESPONSE',
-        '-5' => 'PE_IDPCHOICE',
-        '-6' => 'PE_PASSWORD_OK',
-        '-7' => 'PE_LOGOUT_OK',
-        '0'  => 'PE_OK',
-        '1'  => 'PE_SESSIONEXPIRED',
-        '10' => 'PE_BADCERTIFICATE',
-        '2'  => 'PE_FORMEMPTY',
-        '21' => 'PE_PP_ACCOUNT_LOCKED',
-        '22' => 'PE_PP_PASSWORD_EXPIRED',
-        '23' => 'PE_CERTIFICATEREQUIRED',
-        '24' => 'PE_ERROR',
-        '25' => 'PE_PP_CHANGE_AFTER_RESET',
-        '26' => 'PE_PP_PASSWORD_MOD_NOT_ALLOWED',
-        '27' => 'PE_PP_MUST_SUPPLY_OLD_PASSWORD',
-        '28' => 'PE_PP_INSUFFICIENT_PASSWORD_QUALITY',
-        '29' => 'PE_PP_PASSWORD_TOO_SHORT',
-        '3'  => 'PE_WRONGMANAGERACCOUNT',
-        '30' => 'PE_PP_PASSWORD_TOO_YOUNG',
-        '31' => 'PE_PP_PASSWORD_IN_HISTORY',
-        '32' => 'PE_PP_GRACE',
-        '33' => 'PE_PP_EXP_WARNING',
-        '34' => 'PE_PASSWORD_MISMATCH',
-        '36' => 'PE_NOTIFICATION',
-        '37' => 'PE_BADURL',
-        '38' => 'PE_NOSCHEME',
-        '39' => 'PE_BADOLDPASSWORD',
-        '4'  => 'PE_USERNOTFOUND',
-        '40' => 'PE_MALFORMEDUSER',
-        '41' => 'PE_SESSIONNOTGRANTED',
-        '42' => 'PE_CONFIRM',
-        '43' => 'PE_MAILFORMEMPTY',
-        '44' => 'PE_BADMAILTOKEN',
-        '45' => 'PE_MAILERROR',
-        '46' => 'PE_MAILOK',
-        '48' => 'PE_SAML_ERROR',
-        '49' => 'PE_SAML_LOAD_SERVICE_ERROR',
-        '5'  => 'PE_BADCREDENTIALS',
-        '50' => 'PE_SAML_LOAD_IDP_ERROR',
-        '51' => 'PE_SAML_SSO_ERROR',
-        '52' => 'PE_SAML_UNKNOWN_ENTITY',
-        '53' => 'PE_SAML_DESTINATION_ERROR',
-        '54' => 'PE_SAML_CONDITIONS_ERROR',
-        '55' => 'PE_SAML_IDPSSOINITIATED_NOTALLOWED',
-        '56' => 'PE_SAML_SLO_ERROR',
-        '57' => 'PE_SAML_SIGNATURE_ERROR',
-        '58' => 'PE_SAML_ART_ERROR',
-        '59' => 'PE_SAML_SESSION_ERROR',
-        '6'  => 'PE_LDAPCONNECTFAILED',
-        '60' => 'PE_SAML_LOAD_SP_ERROR',
-        '61' => 'PE_SAML_ATTR_ERROR',
-        '62' => 'PE_OPENID_EMPTY',
-        '63' => 'PE_OPENID_BADID',
-        '64' => 'PE_MISSINGREQATTR',
-        '65' => 'PE_BADPARTNER',
-        '66' => 'PE_MAILCONFIRMATION_ALREADY_SENT',
-        '67' => 'PE_PASSWORDFORMEMPTY',
-        '68' => 'PE_CAS_SERVICE_NOT_ALLOWED',
-        '69' => 'PE_MAILFIRSTACCESS',
-        '7'  => 'PE_LDAPERROR',
-        '70' => 'PE_MAILNOTFOUND',
-        '71' => 'PE_PASSWORDFIRSTACCESS',
-        '72' => 'PE_MAILCONFIRMOK',
-        '73' => 'PE_RADIUSCONNECTFAILED',
-        '74' => 'PE_MUST_SUPPLY_OLD_PASSWORD',
-        '75' => 'PE_FORBIDDENIP',
-        '76' => 'PE_CAPTCHAERROR',
-        '77' => 'PE_CAPTCHAEMPTY',
-        '78' => 'PE_REGISTERFIRSTACCESS',
-        '79' => 'PE_REGISTERFORMEMPTY',
-        '8'  => 'PE_APACHESESSIONERROR',
-        '80' => 'PE_REGISTERALREADYEXISTS',
-        '81' => 'PE_NOTOKEN',
-        '82' => 'PE_TOKENEXPIRED',
-        '83' => 'PE_U2FFAILED',
-        '84' => 'PE_UNAUTHORIZEDPARTNER',
-        '85' => 'PE_RENEWSESSION',
-        '86' => 'PE_WAIT',
-        '87' => 'PE_MUSTAUTHN',
-        '88' => 'PE_MUSTHAVEMAIL',
-        '89' => 'PE_SAML_SERVICE_NOT_ALLOWED',
-        '9'  => 'PE_FIRSTACCESS',
-        '90' => 'PE_OIDC_SERVICE_NOT_ALLOWED',
-        '91' => 'PE_OID_SERVICE_NOT_ALLOWED',
-        '92' => 'PE_GET_SERVICE_NOT_ALLOWED',
-        '93' => 'PE_IMPERSONATION_SERVICE_NOT_ALLOWED',
-        '94' => 'PE_ISSUERMISSINGREQATTR',
-        '95' => 'PE_DECRYPTVALUE_SERVICE_NOT_ALLOWED',
-        '96' => 'PE_BADOTP',
-        '97' => 'PE_RESETCERTIFICATE_INVALID',
-        '98' => 'PE_RESETCERTIFICATE_FORMEMPTY',
-        '99' => 'PE_RESETCERTIFICATE_FIRSTACCESS'
+        '-1'  => 'PE_DONE',
+        '-2'  => 'PE_REDIRECT',
+        '-3'  => 'PE_INFO',
+        '-4'  => 'PE_SENDRESPONSE',
+        '-5'  => 'PE_IDPCHOICE',
+        '-6'  => 'PE_PASSWORD_OK',
+        '-7'  => 'PE_LOGOUT_OK',
+        '0'   => 'PE_OK',
+        '1'   => 'PE_SESSIONEXPIRED',
+        '10'  => 'PE_BADCERTIFICATE',
+        '100' => 'PE_PP_NOT_ALLOWED_CHARACTER',
+        '101' => 'PE_PP_NOT_ALLOWED_CHARACTERS',
+        '2'   => 'PE_FORMEMPTY',
+        '21'  => 'PE_PP_ACCOUNT_LOCKED',
+        '22'  => 'PE_PP_PASSWORD_EXPIRED',
+        '23'  => 'PE_CERTIFICATEREQUIRED',
+        '24'  => 'PE_ERROR',
+        '25'  => 'PE_PP_CHANGE_AFTER_RESET',
+        '26'  => 'PE_PP_PASSWORD_MOD_NOT_ALLOWED',
+        '27'  => 'PE_PP_MUST_SUPPLY_OLD_PASSWORD',
+        '28'  => 'PE_PP_INSUFFICIENT_PASSWORD_QUALITY',
+        '29'  => 'PE_PP_PASSWORD_TOO_SHORT',
+        '3'   => 'PE_WRONGMANAGERACCOUNT',
+        '30'  => 'PE_PP_PASSWORD_TOO_YOUNG',
+        '31'  => 'PE_PP_PASSWORD_IN_HISTORY',
+        '32'  => 'PE_PP_GRACE',
+        '33'  => 'PE_PP_EXP_WARNING',
+        '34'  => 'PE_PASSWORD_MISMATCH',
+        '36'  => 'PE_NOTIFICATION',
+        '37'  => 'PE_BADURL',
+        '38'  => 'PE_NOSCHEME',
+        '39'  => 'PE_BADOLDPASSWORD',
+        '4'   => 'PE_USERNOTFOUND',
+        '40'  => 'PE_MALFORMEDUSER',
+        '41'  => 'PE_SESSIONNOTGRANTED',
+        '42'  => 'PE_CONFIRM',
+        '43'  => 'PE_MAILFORMEMPTY',
+        '44'  => 'PE_BADMAILTOKEN',
+        '45'  => 'PE_MAILERROR',
+        '46'  => 'PE_MAILOK',
+        '48'  => 'PE_SAML_ERROR',
+        '49'  => 'PE_SAML_LOAD_SERVICE_ERROR',
+        '5'   => 'PE_BADCREDENTIALS',
+        '50'  => 'PE_SAML_LOAD_IDP_ERROR',
+        '51'  => 'PE_SAML_SSO_ERROR',
+        '52'  => 'PE_SAML_UNKNOWN_ENTITY',
+        '53'  => 'PE_SAML_DESTINATION_ERROR',
+        '54'  => 'PE_SAML_CONDITIONS_ERROR',
+        '55'  => 'PE_SAML_IDPSSOINITIATED_NOTALLOWED',
+        '56'  => 'PE_SAML_SLO_ERROR',
+        '57'  => 'PE_SAML_SIGNATURE_ERROR',
+        '58'  => 'PE_SAML_ART_ERROR',
+        '59'  => 'PE_SAML_SESSION_ERROR',
+        '6'   => 'PE_LDAPCONNECTFAILED',
+        '60'  => 'PE_SAML_LOAD_SP_ERROR',
+        '61'  => 'PE_SAML_ATTR_ERROR',
+        '62'  => 'PE_OPENID_EMPTY',
+        '63'  => 'PE_OPENID_BADID',
+        '64'  => 'PE_MISSINGREQATTR',
+        '65'  => 'PE_BADPARTNER',
+        '66'  => 'PE_MAILCONFIRMATION_ALREADY_SENT',
+        '67'  => 'PE_PASSWORDFORMEMPTY',
+        '68'  => 'PE_CAS_SERVICE_NOT_ALLOWED',
+        '69'  => 'PE_MAILFIRSTACCESS',
+        '7'   => 'PE_LDAPERROR',
+        '70'  => 'PE_MAILNOTFOUND',
+        '71'  => 'PE_PASSWORDFIRSTACCESS',
+        '72'  => 'PE_MAILCONFIRMOK',
+        '73'  => 'PE_RADIUSCONNECTFAILED',
+        '74'  => 'PE_MUST_SUPPLY_OLD_PASSWORD',
+        '75'  => 'PE_FORBIDDENIP',
+        '76'  => 'PE_CAPTCHAERROR',
+        '77'  => 'PE_CAPTCHAEMPTY',
+        '78'  => 'PE_REGISTERFIRSTACCESS',
+        '79'  => 'PE_REGISTERFORMEMPTY',
+        '8'   => 'PE_APACHESESSIONERROR',
+        '80'  => 'PE_REGISTERALREADYEXISTS',
+        '81'  => 'PE_NOTOKEN',
+        '82'  => 'PE_TOKENEXPIRED',
+        '83'  => 'PE_U2FFAILED',
+        '84'  => 'PE_UNAUTHORIZEDPARTNER',
+        '85'  => 'PE_RENEWSESSION',
+        '86'  => 'PE_WAIT',
+        '87'  => 'PE_MUSTAUTHN',
+        '88'  => 'PE_MUSTHAVEMAIL',
+        '89'  => 'PE_SAML_SERVICE_NOT_ALLOWED',
+        '9'   => 'PE_FIRSTACCESS',
+        '90'  => 'PE_OIDC_SERVICE_NOT_ALLOWED',
+        '91'  => 'PE_OID_SERVICE_NOT_ALLOWED',
+        '92'  => 'PE_GET_SERVICE_NOT_ALLOWED',
+        '93'  => 'PE_IMPERSONATION_SERVICE_NOT_ALLOWED',
+        '94'  => 'PE_ISSUERMISSINGREQATTR',
+        '95'  => 'PE_DECRYPTVALUE_SERVICE_NOT_ALLOWED',
+        '96'  => 'PE_BADOTP',
+        '97'  => 'PE_RESETCERTIFICATE_INVALID',
+        '98'  => 'PE_RESETCERTIFICATE_FORMEMPTY',
+        '99'  => 'PE_RESETCERTIFICATE_FIRSTACCESS'
    };

 }
@ -304,7 +308,9 @@ our @EXPORT_OK = (
    'PE_BADOTP',
    'PE_RESETCERTIFICATE_INVALID',
    'PE_RESETCERTIFICATE_FORMEMPTY',
-    'PE_RESETCERTIFICATE_FIRSTACCESS'
+    'PE_RESETCERTIFICATE_FIRSTACCESS',
+    'PE_PP_NOT_ALLOWED_CHARACTER',
+    'PE_PP_NOT_ALLOWED_CHARACTERS'
 );
 our %EXPORT_TAGS = ( 'all' => [ @EXPORT_OK, 'import' ], );

--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Display.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Display.pm
@ -208,6 +208,9 @@ sub display {

    # 2.2 Case : display menu (with error or not)
    elsif ( $req->error == PE_OK ) {
+        my $speChars = $self->conf->{passwordPolicySpecialChar};
+        $speChars =~ s/\s+/ /g;
+        $speChars =~ s/(?:^\s|\s$)//g;
        $skinfile = 'menu';

        #utf8::decode($auth_user);
@ -225,6 +228,13 @@ sub display {
            PPOLICY_MINLOWER    => $self->conf->{passwordPolicyMinLower},
            PPOLICY_MINUPPER    => $self->conf->{passwordPolicyMinUpper},
            PPOLICY_MINDIGIT    => $self->conf->{passwordPolicyMinDigit},
+            PPOLICY_ALLOWEDSPECHAR => $speChars,
+            (
+                $speChars
+                ? ( PPOLICY_MINSPECHAR =>
+                      $self->conf->{passwordPolicyMinSpeChar} )
+                : ()
+            ),
            $self->menu->params($req),
            (
                $req->data->{customScript}
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Password/Base.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Password/Base.pm
@ -8,8 +8,10 @@ use Lemonldap::NG::Portal::Main::Constants qw(
  PE_BADOLDPASSWORD
  PE_PASSWORD_OK
  PE_PASSWORD_MISMATCH
-  PE_PP_MUST_SUPPLY_OLD_PASSWORD
  PE_PP_PASSWORD_TOO_SHORT
+  PE_PP_NOT_ALLOWED_CHARACTER
+  PE_PP_NOT_ALLOWED_CHARACTERS
+  PE_PP_MUST_SUPPLY_OLD_PASSWORD
  PE_PP_INSUFFICIENT_PASSWORD_QUALITY
 );

@ -25,7 +27,7 @@ sub init {

 # INTERFACE

-sub forAuthUser { '_modifyPassword' }
+use constant forAuthUser => '_modifyPassword';

 # RUNNING METHODS

@ -131,6 +133,29 @@ sub checkPasswordQuality {
        }
    }

+    ## Special characters policy
+    my $speChars = $self->conf->{passwordPolicySpecialChar};
+    $speChars =~ s/\s+//g;
+
+    # Min special characters
+    if ( $self->conf->{passwordPolicyMinSpeChar} && $speChars ) {
+        my $spe  = 0;
+        my $test = $password;
+        $spe = $test =~ s/[\Q$speChars\E]//g;
+        if ( $spe < $self->conf->{passwordPolicyMinSpeChar} ) {
+            $self->logger->error("Password has not enough special characters");
+            return PE_PP_INSUFFICIENT_PASSWORD_QUALITY;
+        }
+    }
+
+    # Fobidden special characters
+    $password =~ s/[\Q$speChars\E\w]//g;
+    if ($password) {
+        $self->logger->error(
+            'Password contains ' . length($password) . " forbidden character(s): $password");
+        return length($password) > 1 ? PE_PP_NOT_ALLOWED_CHARACTERS : PE_PP_NOT_ALLOWED_CHARACTER;
+    }
+
    return PE_OK;
 }

--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/CheckUser.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/CheckUser.pm
@ -262,6 +262,7 @@ sub check {
                    "Compute groups and macros with real and spoofed attributes"
                );
                $req->sessionInfo($attrs);
+                delete $req->sessionInfo->{groups};
                $req->steps( [ $self->p->groupsAndMacros, 'setLocalGroups' ] );
                if ( my $error = $self->p->process($req) ) {
                    $self->logger->debug("Process returned error: $error");
@ -409,10 +410,10 @@ sub _userData {
    # Compute groups & macros again with real authenticationLevel
    $req->sessionInfo->{authenticationLevel} = $realAuthLevel;
    delete $req->sessionInfo->{groups};
+
    $req->steps( [ $self->p->groupsAndMacros, 'setLocalGroups' ] );
    if ( my $error = $self->p->process($req) ) {
-        $self->logger->debug(
-            "ContextSwitching: Process returned error: $error");
+        $self->logger->debug("CheckUser: Process returned error: $error");
        return $req->error($error);
    }

--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/Impersonation.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/Impersonation.pm
@ -230,6 +230,18 @@ sub _userData {
            $req->error($error);
        }
    }
+
+    # Compute groups & macros again with real authenticationLevel
+    $req->sessionInfo->{authenticationLevel} =
+      $realSession->{real_authenticationLevel};
+    delete $req->sessionInfo->{groups};
+    $req->steps( [ $self->p->groupsAndMacros, 'setLocalGroups' ] );
+    if ( my $error = $self->p->process($req) ) {
+        $self->logger->debug("Impersonation: Process returned error: $error");
+        $req->error($error);
+    }
+
+    $self->logger->debug("Return \"$req->{user}\" sessionInfo");
    return $req->{sessionInfo};
 }

--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/MailPasswordReset.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/MailPasswordReset.pm
@ -525,7 +525,11 @@ sub setSecurity {

 sub display {
    my ( $self, $req ) = @_;
+    my $speChars = $self->conf->{passwordPolicySpecialChar};
+    $speChars =~ s/\s+/ /g;
+    $speChars =~ s/(?:^\s|\s$)//g;
    $self->logger->debug( 'Display called with code: ' . $req->error );
+    
    my %tplPrm = (
        SKIN_PATH       => $self->conf->{staticPrefix},
        SKIN            => $self->p->getSkin($req),
@ -541,8 +545,7 @@ sub display {
        STARTMAILTIME   => $req->data->{startMailTime},
        MAILALREADYSENT => $req->data->{mailAlreadySent},
        MAIL            => (
-            $self->p->checkXSSAttack( 'mail', $req->{user} )
-            ? ''
+              $self->p->checkXSSAttack( 'mail', $req->{user} ) ? ''
            : $req->{user}
        ),
        DISPLAY_FORM            => 0,
@ -555,6 +558,12 @@ sub display {
        PPOLICY_MINLOWER        => $self->conf->{passwordPolicyMinLower},
        PPOLICY_MINUPPER        => $self->conf->{passwordPolicyMinUpper},
        PPOLICY_MINDIGIT        => $self->conf->{passwordPolicyMinDigit},
+        PPOLICY_ALLOWEDSPECHAR  => $speChars,
+        (
+            $speChars
+            ? ( PPOLICY_MINSPECHAR => $self->conf->{passwordPolicyMinSpeChar} )
+            : ()
+        ),
        DISPLAY_GENERATE_PASSWORD =>
          $self->conf->{portalDisplayGeneratePassword},
    );
--- a/lemonldap-ng-portal/site/htdocs/static/languages/ar.json
+++ b/lemonldap-ng-portal/site/htdocs/static/languages/ar.json
@ -87,9 +87,11 @@
 "PE94":"السمة المطلوبة غير متوفرة",
 "PE95":"Access not granted on DECRYPT service",
 "PE96":"Invalid verification code",
-"PE97":"Please select your new certificate",
+"PE97":"Your certificate is invalid or expires soon",
 "PE98":"Please select your new certificate",
-"PE99":"Your certificate is invalid or expires soon",
+"PE99":"Please select your new certificate",
+"PE100":"Password contains not allowed character",
+"PE101":"Password contains not allowed characters",
 "2fRegRequired":"This service requires a double factor authentication. Register a device now, then go back to the portal.",
 "accept":"قبول",
 "accessDenied":"ليس لديك إذن بالدخول لهذا التطبيق",
@ -226,6 +228,8 @@
 "passwordPolicyMinLower":"Minimal lower characters:",
 "passwordPolicyMinUpper":"Minimal upper characters:",
 "passwordPolicyMinDigit":"Minimal digit characters:",
+"passwordPolicyMinSpeChar":"Minimal special characters:",
+"passwordPolicySpecialChar":"Allowed special characters:",
 "ppGrace":"المصادقات المتبقية، غير كلمة المرور الخاصة بك!",
 "proxyError":"بوابة سيئة: غير قادر على الانضمام لالخادم البعيد",
 "pwd":"كلمة المرور",
@ -312,4 +316,4 @@
 "yourProfile":"Know your profile",
 "yourTotpKey":"Your TOTP key",
 "yubikey2f":"Yubikey"
-}
+}
--- a/lemonldap-ng-portal/site/htdocs/static/languages/de.json
+++ b/lemonldap-ng-portal/site/htdocs/static/languages/de.json
@ -86,9 +86,11 @@
 "PE94":"Ein gefordertes Attribut ist nicht verfügbar",
 "PE95":"Access not granted on DECRYPT service",
 "PE96":"Invalid verification code",
-"PE97":"Please select your new certificate",
+"PE97":"Your certificate is invalid or expires soon",
 "PE98":"Please select your new certificate",
-"PE99":"Your certificate is invalid or expires soon",
+"PE99":"Please select your new certificate",
+"PE100":"Password contains not allowed character",
+"PE101":"Password contains not allowed characters",
 "2fRegRequired":"Dieser Dienst benötigt Zwei-Faktor-Authentifizierung. Bitte legen Sie ein Gerät an und gehen dann zum Portal zurück.",
 "accept":"Akzeptieren",
 "accessDenied":"Sie haben keine Zugriffsberechtigung für diese Anwendung",
@ -225,6 +227,8 @@
 "passwordPolicyMinLower":"Minimal lower characters:",
 "passwordPolicyMinUpper":"Minimal upper characters:",
 "passwordPolicyMinDigit":"Minimal digit characters:",
+"passwordPolicyMinSpeChar":"Minimal special characters:",
+"passwordPolicySpecialChar":"Allowed special characters:",
 "ppGrace":"verbleibende Authentifizierungen, bitte Passwort ändern !",
 "proxyError":"Bad gateway: Der Remote-Server kann nicht verbunden werden",
 "pwd":"Passwort",
@ -311,4 +315,4 @@
 "yourProfile":"Know your profile",
 "yourTotpKey":"Your TOTP key",
 "yubikey2f":"Yubikey"
-}
+}
--- a/lemonldap-ng-portal/site/htdocs/static/languages/en.json
+++ b/lemonldap-ng-portal/site/htdocs/static/languages/en.json
@ -86,9 +86,11 @@
 "PE94":"A required attribute is not available",
 "PE95":"Access not granted on DECRYPT service",
 "PE96":"Invalid verification code",
-"PE97":"Please select your new certificate",
+"PE97":"Your certificate is invalid or expires soon",
 "PE98":"Please select your new certificate",
-"PE99":"Your certificate is invalid or expires soon",
+"PE99":"Please select your new certificate",
+"PE100":"Password contains not allowed character",
+"PE101":"Password contains not allowed characters",
 "2fRegRequired":"This service requires a double factor authentication. Register a device now, then go back to the portal.",
 "accept":"Accept",
 "accessDenied":"You have no access authorization for this application",
@ -226,6 +228,8 @@
 "passwordPolicyMinLower":"Minimal lower characters:",
 "passwordPolicyMinUpper":"Minimal upper characters:",
 "passwordPolicyMinDigit":"Minimal digit characters:",
+"passwordPolicyMinSpeChar":"Minimal special characters:",
+"passwordPolicySpecialChar":"Allowed special characters:",
 "ppGrace":"authentications remaining, change your password!",
 "proxyError":"Bad gateway: unable to join remote server",
 "pwd":"Password",
--- a/lemonldap-ng-portal/site/htdocs/static/languages/es.json
+++ b/lemonldap-ng-portal/site/htdocs/static/languages/es.json
@ -89,6 +89,8 @@
 "PE97":"Su certificado no es válido o expira próximamente",
 "PE98":"Por favor, seleccione su nuevo certificado",
 "PE99":"Por favor, seleccione su nuevo certificado",
+"PE100":"Password contains not allowed character",
+"PE101":"Password contains not allowed characters",
 "2fRegRequired":"Este servicio necesita la autenticación de dos factores. Registre un dispositivo ahora, luego reingrese al portal.",
 "accept":"Aceptar",
 "accessDenied":"No está autorizado a acceder a esta aplicación",
@ -225,6 +227,8 @@
 "passwordPolicyMinLower":"Minúsculas, como mínimo:",
 "passwordPolicyMinUpper":"Mayúsculas, como mínimo:",
 "passwordPolicyMinDigit":"Dígitos, como mínimo:",
+"passwordPolicyMinSpeChar":"Minimal special characters:",
+"passwordPolicySpecialChar":"Allowed special characters:",
 "ppGrace":"autenticaciones restantes, ¡cambie su contraseña!.",
 "proxyError":"Puerta de enlace no válida: servidor remoto inalcanzable",
 "pwd":"Contraseña",
--- a/lemonldap-ng-portal/site/htdocs/static/languages/fi.json
+++ b/lemonldap-ng-portal/site/htdocs/static/languages/fi.json
@ -86,9 +86,11 @@
 "PE94":"A required attribute is not available",
 "PE95":"Access not granted on DECRYPT service",
 "PE96":"Invalid verification code",
-"PE97":"Please select your new certificate",
+"PE97":"Your certificate is invalid or expires soon",
 "PE98":"Please select your new certificate",
-"PE99":"Your certificate is invalid or expires soon",
+"PE99":"Please select your new certificate",
+"PE100":"Password contains not allowed character",
+"PE101":"Password contains not allowed characters",
 "2fRegRequired":"This service requires a double factor authentication. Register a device now, then go back to the portal.",
 "accept":"Hyväksy",
 "accessDenied":"Sinulla ei ole käyttöoikeutta tähän sovellukseen",
@ -225,6 +227,8 @@
 "passwordPolicyMinLower":"Minimal lower characters:",
 "passwordPolicyMinUpper":"Minimal upper characters:",
 "passwordPolicyMinDigit":"Minimal digit characters:",
+"passwordPolicyMinSpeChar":"Minimal special characters:",
+"passwordPolicySpecialChar":"Allowed special characters:",
 "ppGrace":"authentications remaining, change your password!",
 "proxyError":"Bad gateway: unable to join remote server",
 "pwd":"Salasana",
@ -311,4 +315,4 @@
 "yourProfile":"Know your profile",
 "yourTotpKey":"Your TOTP key",
 "yubikey2f":"Yubikey"
-}
+}
--- a/lemonldap-ng-portal/site/htdocs/static/languages/fr.json
+++ b/lemonldap-ng-portal/site/htdocs/static/languages/fr.json
@ -19,7 +19,7 @@
 "PE25":"Le mot de passe a été réinitialisé et doit être changé",
 "PE26":"Modification du mot de passe non autorisée",
 "PE27":"Ancien mot de passe à fournir pour le changer",
-"PE28":"Qualité de mot de passe insuffisante",
+"PE28":"Qualité du mot de passe insuffisante",
 "PE29":"Mot de passe trop court",
 "PE30":"Mot de passe trop récent",
 "PE31":"Mot de passe utilisé trop récemment",
@ -86,9 +86,11 @@
 "PE94":"Un attribut exigé n'est pas disponible",
 "PE95":"Accès non autorisé au service de déchiffrement",
 "PE96":"Code de sécurité invalide",
-"PE97":"Veuillez selectionner votre nouveau certificat",
-"PE98":"Veuillez selectionner votre nouveau certificat",
-"PE99":"votre certificat est invalid ou expire bientot.Veuillez contacter votre administrateur",
+"PE97":"Votre certificat est invalide ou expire prochainement",
+"PE98":"Veuillez sélectionner votre nouveau certificat",
+"PE99":"Veuillez sélectionner votre nouveau certificat",
+"PE100":"Le mot de passe contient un caractère interdit",
+"PE101":"Le mot de passe contient des caractères interdits",
 "2fRegRequired":"Ce service requiert une authentification à deux facteurs. Enregistrez un équipement ici et retournez au portail.",
 "accept":"Accepter",
 "accessDenied":"Vous n'avez pas les droits d'accès à cette application",
@ -225,6 +227,8 @@
 "passwordPolicyMinLower": "Minimum de minuscules :",
 "passwordPolicyMinUpper": "Minimum de majuscules :",
 "passwordPolicyMinDigit": "Minimum de chiffres :",
+"passwordPolicyMinSpeChar":"Minimum de caractères spéciaux :",
+"passwordPolicySpecialChar":"Caractères spéciaux autorisés :",
 "ppGrace": "authentifications restantes, changez votre mot de passe !",
 "proxyError": "Mauvaise passerelle : impossible de joindre le serveur amont",
 "pwd":"Mot de passe",
--- a/lemonldap-ng-portal/site/htdocs/static/languages/it.json
+++ b/lemonldap-ng-portal/site/htdocs/static/languages/it.json
@ -86,9 +86,11 @@
 "PE94":"Attributo richiesto non disponibile",
 "PE95":"Accesso non concesso sul servizio DECRYPT",
 "PE96":"Invalid verification code",
-"PE97":"Please select your new certificate",
+"PE97":"Your certificate is invalid or expires soon",
 "PE98":"Please select your new certificate",
-"PE99":"Your certificate is invalid or expires soon",
+"PE99":"Please select your new certificate",
+"PE100":"Password contains not allowed character",
+"PE101":"Password contains not allowed characters",
 "2fRegRequired":"Questo servizio richiede un'autenticazione a doppio fattore. Registrare un dispositivo ora, quindi tornare al portale.",
 "accept":"Accetta",
 "accessDenied":"Non hai un'autorizzazione di accesso per questa applicazione",
@ -225,6 +227,8 @@
 "passwordPolicyMinLower":"Minimal lower characters:",
 "passwordPolicyMinUpper":"Minimal upper characters:",
 "passwordPolicyMinDigit":"Minimal digit characters:",
+"passwordPolicyMinSpeChar":"Minimal special characters:",
+"passwordPolicySpecialChar":"Allowed special characters:",
 "ppGrace":"autenticazioni restanti, modifica la tua password!",
 "proxyError":"Gateway errata: impossibile associarsi a un server remoto",
 "pwd":"Password",
@ -311,4 +315,4 @@
 "yourProfile":"Know your profile",
 "yourTotpKey":"La tua chiave TOTP",
 "yubikey2f":"Yubikey"
-}
+}
--- a/lemonldap-ng-portal/site/htdocs/static/languages/nl.json
+++ b/lemonldap-ng-portal/site/htdocs/static/languages/nl.json
@ -86,9 +86,11 @@
 "PE94":"Een vereist attribuut is niet beschikbaar",
 "PE95":"Access not granted on DECRYPT service",
 "PE96":"Invalid verification code",
-"PE97":"Please select your new certificate",
+"PE97":"Your certificate is invalid or expires soon",
 "PE98":"Please select your new certificate",
-"PE99":"Your certificate is invalid or expires soon",
+"PE99":"Please select your new certificate",
+"PE100":"Password contains not allowed character",
+"PE101":"Password contains not allowed characters",
 "2fRegRequired":"This service requires a double factor authentication. Register a device now, then go back to the portal.",
 "accept":"Accept",
 "accessDenied":"You have no access authorization for this application",
@ -225,6 +227,8 @@
 "passwordPolicyMinLower":"Minimal lower characters:",
 "passwordPolicyMinUpper":"Minimal upper characters:",
 "passwordPolicyMinDigit":"Minimal digit characters:",
+"passwordPolicyMinSpeChar":"Minimal special characters:",
+"passwordPolicySpecialChar":"Allowed special characters:",
 "ppGrace":"authentications remaining, change your password!",
 "proxyError":"Bad gateway: unable to join remote server",
 "pwd":"Password",
@ -311,4 +315,4 @@
 "yourProfile":"Know your profile",
 "yourTotpKey":"Your TOTP key",
 "yubikey2f":"Yubikey"
-}
+}
--- a/lemonldap-ng-portal/site/htdocs/static/languages/pt.json
+++ b/lemonldap-ng-portal/site/htdocs/static/languages/pt.json
@ -86,9 +86,11 @@
 "PE94":"Um atributo exigido não está disponível",
 "PE95":"Access not granted on DECRYPT service",
 "PE96":"Invalid verification code",
-"PE97":"Please select your new certificate",
+"PE97":"Your certificate is invalid or expires soon",
 "PE98":"Please select your new certificate",
-"PE99":"Your certificate is invalid or expires soon",
+"PE99":"Please select your new certificate",
+"PE100":"Password contains not allowed character",
+"PE101":"Password contains not allowed characters",
 "2fRegRequired":"This service requires a double factor authentication. Register a device now, then go back to the portal.",
 "accept":"Accept",
 "accessDenied":"You have no access authorization for this application",
@ -225,6 +227,8 @@
 "passwordPolicyMinLower":"Minimal lower characters:",
 "passwordPolicyMinUpper":"Minimal upper characters:",
 "passwordPolicyMinDigit":"Minimal digit characters:",
+"passwordPolicyMinSpeChar":"Minimal special characters:",
+"passwordPolicySpecialChar":"Allowed special characters:",
 "ppGrace":"authentications remaining, change your password!",
 "proxyError":"Bad gateway: unable to join remote server",
 "pwd":"Password",
@ -311,4 +315,4 @@
 "yourProfile":"Know your profile",
 "yourTotpKey":"Your TOTP key",
 "yubikey2f":"Yubikey"
-}
+}
--- a/lemonldap-ng-portal/site/htdocs/static/languages/ro.json
+++ b/lemonldap-ng-portal/site/htdocs/static/languages/ro.json
@ -86,9 +86,11 @@
 "PE94":"Un atribut solicitate nu sunt disponibile",
 "PE95":"Access not granted on DECRYPT service",
 "PE96":"Invalid verification code",
-"PE97":"Please select your new certificate",
+"PE97":"Your certificate is invalid or expires soon",
 "PE98":"Please select your new certificate",
-"PE99":"Your certificate is invalid or expires soon",
+"PE99":"Please select your new certificate",
+"PE100":"Password contains not allowed character",
+"PE101":"Password contains not allowed characters",
 "2fRegRequired":"This service requires a double factor authentication. Register a device now, then go back to the portal.",
 "accept":"Accept",
 "accessDenied":"You have no access authorization for this application",
@ -225,6 +227,8 @@
 "passwordPolicyMinLower":"Minimal lower characters:",
 "passwordPolicyMinUpper":"Minimal upper characters:",
 "passwordPolicyMinDigit":"Minimal digit characters:",
+"passwordPolicyMinSpeChar":"Minimal special characters:",
+"passwordPolicySpecialChar":"Allowed special characters:",
 "ppGrace":"authentications remaining, change your password!",
 "proxyError":"Bad gateway: unable to join remote server",
 "pwd":"Password",
@ -311,4 +315,4 @@
 "yourProfile":"Know your profile",
 "yourTotpKey":"Your TOTP key",
 "yubikey2f":"Yubikey"
-}
+}
--- a/lemonldap-ng-portal/site/htdocs/static/languages/tr.json
+++ b/lemonldap-ng-portal/site/htdocs/static/languages/tr.json
@ -89,6 +89,8 @@
 "PE97":"Your certificate is invalid or expires soon",
 "PE98":"Please select your new certificate",
 "PE99":"Please select your new certificate",
+"PE100":"Password contains not allowed character",
+"PE101":"Password contains not allowed characters",
 "2fRegRequired":"Bu servis iki adımlı kimlik doğrulama gerektiriyor. Şimdi bir cihaz ekleyin ve ardından portala geri dönün",
 "accept":"Kabul Et",
 "accessDenied":"Bu uygulamaya erişim yetkiniz yok",
@ -226,6 +228,8 @@
 "passwordPolicyMinLower":"Minimum küçük harf karakter sayısı :",
 "passwordPolicyMinUpper":"Minimum büyük harf karakter sayısı :",
 "passwordPolicyMinDigit":"Minimum rakam karakter sayısı :",
+"passwordPolicyMinSpeChar":"Minimal special characters:",
+"passwordPolicySpecialChar":"Allowed special characters:",
 "ppGrace":"kimlik doğrulaması kaldı, parolanızı değiştirin!",
 "proxyError":"Kötü ağ geçidi: uzak sunucuya katılamıyor",
 "pwd":"Parola",
--- a/lemonldap-ng-portal/site/htdocs/static/languages/vi.json
+++ b/lemonldap-ng-portal/site/htdocs/static/languages/vi.json
@ -86,9 +86,11 @@
 "PE94":"Một thuộc tính bắt buộc không có sẵn",
 "PE95":"Access not granted on DECRYPT service",
 "PE96":"Invalid verification code",
-"PE97":"Please select your new certificate",
+"PE97":"Your certificate is invalid or expires soon",
 "PE98":"Please select your new certificate",
-"PE99":"Your certificate is invalid or expires soon",
+"PE99":"Please select your new certificate",
+"PE100":"Password contains not allowed character",
+"PE101":"Password contains not allowed characters",
 "2fRegRequired":"This service requires a double factor authentication. Register a device now, then go back to the portal.",
 "accept":"Chấp nhận",
 "accessDenied":"Bạn không có quyền truy cập vào ứng dụng này",
@ -225,6 +227,8 @@
 "passwordPolicyMinLower":"Minimal lower characters:",
 "passwordPolicyMinUpper":"Minimal upper characters:",
 "passwordPolicyMinDigit":"Minimal digit characters:",
+"passwordPolicyMinSpeChar":"Minimal special characters:",
+"passwordPolicySpecialChar":"Allowed special characters:",
 "ppGrace":"chứng thực vẫn còn, thay đổi mật khẩu của bạn!",
 "proxyError":"Gateway không chính xác: không thể kết nối máy chủ từ xa",
 "pwd":"Mật khẩu",
@ -311,4 +315,4 @@
 "yourProfile":"Know your profile",
 "yourTotpKey":"Your TOTP key",
 "yubikey2f":"Yubikey"
-}
+}
--- a/lemonldap-ng-portal/site/htdocs/static/languages/zh.json
+++ b/lemonldap-ng-portal/site/htdocs/static/languages/zh.json
@ -86,9 +86,11 @@
 "PE94":"A required attribute is not available",
 "PE95":"Access not granted on DECRYPT service",
 "PE96":"Invalid verification code",
-"PE97":"Please select your new certificate",
+"PE97":"Your certificate is invalid or expires soon",
 "PE98":"Please select your new certificate",
-"PE99":"Your certificate is invalid or expires soon",
+"PE99":"Please select your new certificate",
+"PE100":"Password contains not allowed character",
+"PE101":"Password contains not allowed characters",
 "2fRegRequired":"This service requires a double factor authentication. Register a device now, then go back to the portal.",
 "accept":"Accept 方法",
 "accessDenied":"您无权访问此应用",
@ -225,6 +227,8 @@
 "passwordPolicyMinLower":"Minimal lower characters:",
 "passwordPolicyMinUpper":"Minimal upper characters:",
 "passwordPolicyMinDigit":"Minimal digit characters:",
+"passwordPolicyMinSpeChar":"Minimal special characters:",
+"passwordPolicySpecialChar":"Allowed special characters:",
 "ppGrace":"authentications remaining, change your password!",
 "proxyError":"错误的网关：无法连接远程服务器",
 "pwd":"密码",
@ -311,4 +315,4 @@
 "yourProfile":"Know your profile",
 "yourTotpKey":"Your TOTP key",
 "yubikey2f":"Yubikey"
-}
+}
--- a/lemonldap-ng-portal/site/templates/bootstrap/passwordpolicy.tpl
+++ b/lemonldap-ng-portal/site/templates/bootstrap/passwordpolicy.tpl
@ -13,5 +13,11 @@
    <TMPL_IF NAME="PPOLICY_MINDIGIT">
    <li><span trspan="passwordPolicyMinDigit">Minimal digit characters:</span> <TMPL_VAR NAME="PPOLICY_MINDIGIT"></li>
    </TMPL_IF>
+    <TMPL_IF NAME="PPOLICY_MINSPECHAR">
+    <li><span trspan="passwordPolicyMinSpeChar">Minimal special characters:</span> <TMPL_VAR NAME="PPOLICY_MINSPECHAR"></li>
+    </TMPL_IF>
+    <TMPL_IF NAME="PPOLICY_ALLOWEDSPECHAR">
+    <li><span trspan="passwordPolicySpecialChar">Allowed special characters:</span> <TMPL_VAR NAME="PPOLICY_ALLOWEDSPECHAR"></li>
+    </TMPL_IF>
  </ul>
 </div>
--- a/lemonldap-ng-portal/t/02-Password-Demo-Local-Ppolicy.t
+++ b/lemonldap-ng-portal/t/02-Password-Demo-Local-Ppolicy.t
@ -2,8 +2,10 @@ use Test::More;
 use strict;
 use IO::String;
 use JSON;
-use Lemonldap::NG::Portal::Main::Constants
-  qw(PE_PP_PASSWORD_TOO_SHORT PE_PP_INSUFFICIENT_PASSWORD_QUALITY);
+use Lemonldap::NG::Portal::Main::Constants qw(
+  PE_PP_PASSWORD_TOO_SHORT PE_PP_INSUFFICIENT_PASSWORD_QUALITY
+  PE_PP_NOT_ALLOWED_CHARACTER PE_PP_NOT_ALLOWED_CHARACTERS
+);

 require 't/test-lib.pm';

@ -11,13 +13,16 @@ my $res;

 my $client = LLNG::Manager::Test->new( {
        ini => {
-            logLevel                 => 'error',
-            passwordDB               => 'Demo',
-            portalRequireOldPassword => 1,
-            passwordPolicyMinSize    => 6,
-            passwordPolicyMinLower   => 3,
-            passwordPolicyMinUpper   => 3,
-            passwordPolicyMinDigit   => 1,
+            logLevel                    => 'error',
+            passwordDB                  => 'Demo',
+            portalRequireOldPassword    => 1,
+            passwordPolicyMinSize       => 6,
+            passwordPolicyMinLower      => 3,
+            passwordPolicyMinUpper      => 3,
+            passwordPolicyMinDigit      => 1,
+            passwordPolicyMinSpeChar    => 2,
+            passwordPolicySpecialChar   => '   [  } \   ',
+            portalDisplayPasswordPolicy => 1
        }
    }
 );
@ -63,10 +68,11 @@ ok(
    $res = $client->_post(
        '/',
        IO::String->new(
-            'oldpassword=dwho&newpassword=TESTis0k&confirmpassword=TESTis0k'),
+            'oldpassword=dwho&newpassword=TESTis0k\}&confirmpassword=TESTis0k\}'
+        ),
        cookie => "lemonldap=$id",
        accept => 'application/json',
-        length => 62
+        length => 66
    ),
    'Password min size respected'
 );
@ -99,10 +105,11 @@ ok(
    $res = $client->_post(
        '/',
        IO::String->new(
-            'oldpassword=dwho&newpassword=TESTl0wer&confirmpassword=TESTl0wer'),
+'oldpassword=dwho&newpassword=TESTl0wer\}&confirmpassword=TESTl0wer\}'
+        ),
        cookie => "lemonldap=$id",
        accept => 'application/json',
-        length => 64
+        length => 68
    ),
    'Password min lower respected'
 );
@ -135,10 +142,11 @@ ok(
    $res = $client->_post(
        '/',
        IO::String->new(
-            'oldpassword=dwho&newpassword=t3stUPPER&confirmpassword=t3stUPPER'),
+'oldpassword=dwho&newpassword=t3stUPPER\}&confirmpassword=t3stUPPER\}'
+        ),
        cookie => "lemonldap=$id",
        accept => 'application/json',
-        length => 64
+        length => 68
    ),
    'Password min upper respected'
 );
@ -171,16 +179,155 @@ ok(
    $res = $client->_post(
        '/',
        IO::String->new(
-            'oldpassword=dwho&newpassword=t3stDIGIT&confirmpassword=t3stDIGIT'),
+'oldpassword=dwho&newpassword=t3stDIGIT\}&confirmpassword=t3stDIGIT\}'
+        ),
        cookie => "lemonldap=$id",
        accept => 'application/json',
-        length => 64
+        length => 68
    ),
    'Password min digit respected'
 );
 expectOK($res);
 count(1);

+# Test min special char
+# ---------------------
+ok(
+    $res = $client->_post(
+        '/',
+        IO::String->new(
+            'oldpassword=dwho&newpassword=t3stDIGIT}&confirmpassword=t3stDIGIT}'
+        ),
+        cookie => "lemonldap=$id",
+        accept => 'application/json',
+        length => 66
+    ),
+    'Password min special char not respected'
+);
+expectBadRequest($res);
+ok( $json = eval { from_json( $res->[2]->[0] ) }, 'Response is JSON' )
+  or print STDERR "$@\n" . Dumper($res);
+ok(
+    $json->{error} == PE_PP_INSUFFICIENT_PASSWORD_QUALITY,
+    'Response is PE_PP_INSUFFICIENT_PASSWORD_QUALITY'
+) or explain( $json, "error => 28" );
+count(3);
+
+ok(
+    $res = $client->_post(
+        '/',
+        IO::String->new(
+'oldpassword=dwho&newpassword=t3stDIGIT}@&confirmpassword=t3stDIGIT}@'
+        ),
+        cookie => "lemonldap=$id",
+        accept => 'application/json',
+        length => 68
+    ),
+    'Password min special char not respected'
+);
+expectBadRequest($res);
+ok( $json = eval { from_json( $res->[2]->[0] ) }, 'Response is JSON' )
+  or print STDERR "$@\n" . Dumper($res);
+ok(
+    $json->{error} == PE_PP_INSUFFICIENT_PASSWORD_QUALITY,
+    'Response is PE_PP_INSUFFICIENT_PASSWORD_QUALITY'
+) or explain( $json, "error => 28" );
+count(3);
+
+ok(
+    $res = $client->_post(
+        '/',
+        IO::String->new(
+'oldpassword=dwho&newpassword=t3stDIGIT}@}&confirmpassword=t3stDIGIT}@}'
+        ),
+        cookie => "lemonldap=$id",
+        accept => 'application/json',
+        length => 70
+    ),
+    'Password special char not allowed'
+);
+expectBadRequest($res);
+ok( $json = eval { from_json( $res->[2]->[0] ) }, 'Response is JSON' )
+  or print STDERR "$@\n" . Dumper($res);
+ok(
+    $json->{error} == PE_PP_NOT_ALLOWED_CHARACTER,
+    'Response is PE_PP_NOT_ALLOWED_CHARACTER'
+) or explain( $json, "error => 100" );
+count(3);
+
+ok(
+    $res = $client->_post(
+        '/',
+        IO::String->new(
+'oldpassword=dwho&newpassword=t3stDIGIT}@#}&confirmpassword=t3stDIGIT}@#}'
+        ),
+        cookie => "lemonldap=$id",
+        accept => 'application/json',
+        length => 72
+    ),
+    'Password special chars not allowed'
+);
+expectBadRequest($res);
+ok( $json = eval { from_json( $res->[2]->[0] ) }, 'Response is JSON' )
+  or print STDERR "$@\n" . Dumper($res);
+ok(
+    $json->{error} == PE_PP_NOT_ALLOWED_CHARACTERS,
+    'Response is PE_PP_NOT_ALLOWED_CHARACTERS'
+) or explain( $json, "error => 100" );
+count(3);
+
+ok(
+    $res = $client->_post(
+        '/',
+        IO::String->new(
+'oldpassword=dwho&newpassword=t3stDIGIT\}&confirmpassword=t3stDIGIT\}'
+        ),
+        cookie => "lemonldap=$id",
+        accept => 'application/json',
+        length => 68
+    ),
+    'Password min special char respected'
+);
+expectOK($res);
+count(1);
+
+ok(
+    $res =
+      $client->_get( '/', cookie => "lemonldap=$id", accept => 'text/html' ),
+    'Get Menu'
+);
+ok(
+    $res->[2]->[0] =~
+      m%<li><span trspan="passwordPolicyMinSize">Minimal size:</span> 6</li>%,
+    ' passwordPolicyMinSize'
+) or print STDERR Dumper( $res->[2]->[0] );
+ok(
+    $res->[2]->[0] =~
+m%<li><span trspan="passwordPolicyMinLower">Minimal lower characters:</span> 3</li>%,
+    ' passwordPolicyMinLower'
+) or print STDERR Dumper( $res->[2]->[0] );
+ok(
+    $res->[2]->[0] =~
+m%<li><span trspan="passwordPolicyMinUpper">Minimal upper characters:</span> 3</li>%,
+    ' passwordPolicyMinUpper'
+) or print STDERR Dumper( $res->[2]->[0] );
+ok(
+    $res->[2]->[0] =~
+m%<li><span trspan="passwordPolicyMinDigit">Minimal digit characters:</span> 1</li>%,
+    ' passwordPolicyMinDigit'
+) or print STDERR Dumper( $res->[2]->[0] );
+ok(
+    $res->[2]->[0] =~
+m%<li><span trspan="passwordPolicyMinSpeChar">Minimal special characters:</span> 2</li>%,
+    ' passwordPolicyMinSpeChar'
+) or print STDERR Dumper( $res->[2]->[0] );
+ok(
+    $res->[2]->[0] =~
+m%\Q<li><span trspan="passwordPolicySpecialChar">Allowed special characters:</span> [ } \</li>\E%,
+    ' passwordPolicySpecialChar'
+) or print STDERR Dumper( $res->[2]->[0] );
+count(7);
+
 # Test $client->logout
 $client->logout($id);

--- a/lemonldap-ng-portal/t/67-CheckUser.t
+++ b/lemonldap-ng-portal/t/67-CheckUser.t
@ -212,14 +212,12 @@ ok( $res->[2]->[0] !~ m%_2fDevices</td>%, '_2fDevices NOT Found!' )

 ok( $res->[2]->[0] =~ m%<td scope="row">authMode</td>%, 'Found macro authMode' )
  or explain( $res->[2]->[0], 'Macro Key authMode' );
-ok( $res->[2]->[0] =~ m%<td scope="row">DEMO</td>%, 'Found DEMO' )
-  or explain( $res->[2]->[0], 'Macro Value DEMO' );
 ok( $res->[2]->[0] =~ m%<td scope="row">real_authMode</td>%,
    'Found macro real_authMode' )
  or explain( $res->[2]->[0], 'Macro Key real_authMode' );
 ok( $res->[2]->[0] =~ m%<td scope="row">TOTP</td>%, 'Found TOTP' )
  or explain( $res->[2]->[0], 'Macro Value TOTP' );
-count(8);
+count(7);

 $query =~ s/url=/url=http%3A%2F%2Ftest1.example.com/;
 ok(
--- a/lemonldap-ng-portal/t/68-Impersonation-with-TOTP.t
+++ b/lemonldap-ng-portal/t/68-Impersonation-with-TOTP.t
@ -28,6 +28,7 @@ SKIP: {
                impersonationMergeSSOgroups    => 1,
                totp2fSelfRegistration         => 1,
                totp2fActivation               => 1,
+                totp2fAuthnLevel               => 8
            }
        }
    );
@ -233,6 +234,46 @@ m%<div class="alert alert-success"><div class="text-center"><b><span trspan="all
      or explain( $res->[2]->[0], 'Macro Key _whatToTrace' );
    count(12);

+    ok(
+        $res = $client->_get(
+            '/checkuser',
+            cookie => "lemonldap=$id",
+            accept => 'text/html'
+        ),
+        'CheckUser form',
+    );
+    ( $host, $url, $query ) =
+      expectForm( $res, undef, '/checkuser', 'user', 'url' );
+    ok( $res->[2]->[0] =~ m%<span trspan="checkUserMerged">%,
+        'Found trspan="checkUserMerged"' )
+      or explain( $res->[2]->[0], 'trspan="checkUserMerged"' );
+    count(2);
+
+    $query =~ s/user=dwho/user=rtyler/;
+
+    ok(
+        $res = $client->_post(
+            '/checkuser',
+            IO::String->new($query),
+            cookie => "lemonldap=$id",
+            length => length($query),
+            accept => 'text/html',
+        ),
+        'POST checkuser'
+    );
+
+    ( $host, $url, $query ) =
+      expectForm( $res, undef, '/checkuser', 'user', 'url' );
+    ok( $res->[2]->[0] =~ m%<span trspan="checkUserComputeSession">%,
+        'Found trspan="checkUserComputeSession"' )
+      or explain( $res->[2]->[0], 'trspan="checkUserComputeSession"' );
+    ok( $res->[2]->[0] =~ m%<td scope="row">authMode</td>%,
+        'Found macro authMode' )
+      or explain( $res->[2]->[0], 'Macro Key authMode' );
+    ok( $res->[2]->[0] =~ m%<td scope="row">TOTP</td>%, 'Found TOTP' )
+      or explain( $res->[2]->[0], 'Macro Value TOTP' );
+    count(4);
+
    $client->logout($id);
 }
 clean_sessions();
--- a/lemonldap-ng-portal/t/68-Impersonation-with-doubleCookies.t
+++ b/lemonldap-ng-portal/t/68-Impersonation-with-doubleCookies.t
@ -321,8 +321,8 @@ ok( $res->[2]->[0] =~ m%<td scope="row">rtyler/dwho</td>%, 'Found rtyler/dwo' )
 count(15);

 my %attributes = map /<td scope="row">(.+)?<\/td>/g, $res->[2]->[0];
-ok( scalar keys %attributes == 35, 'Found 35 attributes' )
-  or print STDERR ( keys %attributes < 35 )
+ok( scalar keys %attributes == 34, 'Found 34 attributes' )
+  or print STDERR ( keys %attributes < 34 )
  ? "Missing attributes -> " . scalar keys %attributes
  : "Too much attributes -> " . scalar keys %attributes;
 ok( $attributes{'_auth'} eq 'Demo', '_auth' )
--- a/lemonldap-ng-portal/t/68-Impersonation.t
+++ b/lemonldap-ng-portal/t/68-Impersonation.t
@ -323,8 +323,10 @@ ok( $res->[2]->[0] =~ m%<td scope="row">_session_kind</td>%,
 count(17);

 my %attributes = map /<td scope="row">(.+)?<\/td>/g, $res->[2]->[0];
-ok( keys %attributes == 35, 'Found 35 attributes' )
-  or print STDERR "Missing attributes -> " . scalar %attributes;
+ok( keys %attributes == 34, 'Found 34 attributes' )
+  or print STDERR ( keys %attributes < 34 )
+  ? "Missing attributes -> " . scalar keys %attributes
+  : "Too much attributes -> " . scalar keys %attributes;
 ok( $attributes{'_auth'} eq 'Demo', '_auth' )
  or print STDERR Dumper( \%attributes );
 ok( $attributes{'uid'}, 'uid' ) or print STDERR Dumper( \%attributes );
--- a/lemonldap-ng-portal/t/70-2F-TOTP-with-TTL.t
+++ b/lemonldap-ng-portal/t/70-2F-TOTP-with-TTL.t
@ -3,7 +3,7 @@ use strict;
 use IO::String;

 require 't/test-lib.pm';
-my $maintests = 18;
+my $maintests = 20;

 SKIP: {
    eval { require Convert::Base32 };
@ -18,6 +18,7 @@ SKIP: {
                totp2fSelfRegistration => 1,
                totp2fActivation       => 1,
                totp2fTTL              => 120,
+                totp2fIssuer           => 'LLNG_Demo',
                portalMainLogo         => 'common/logos/logo_llng_old.png',
            }
        }
@ -73,8 +74,12 @@ SKIP: {
    ok( not($@), 'Content is JSON' )
      or explain( $res->[2]->[0], 'JSON content' );
    my ( $key, $token );
-    ok( $key   = $res->{secret}, 'Found secret' );
-    ok( $token = $res->{token},  'Found token' );
+    ok( $key   = $res->{secret}, 'Found secret' ) or print STDERR Dumper($res);
+    ok( $token = $res->{token},  'Found token' )  or print STDERR Dumper($res);
+    ok( $res->{portal} eq 'LLNG_Demo', 'Found issuer' )
+      or print STDERR Dumper($res);
+    ok( $res->{user} eq 'dwho', 'Found user' )
+      or print STDERR Dumper($res);
    $key = Convert::Base32::decode_base32($key);

    # Post code