dani
/
lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

rememberAuthChoice: resolve conflicts with 2.0 branch (#2737)

This commit is contained in:
David Coutadeur 2022-07-29 13:18:05 +00:00
parent 3fe037c226 e321b1ebed
commit a99dbbe998
260 changed files with 12532 additions and 2609 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

232
INSTALL
View File

@ -29,15 +29,10 @@ package for Debian works fine).
1.1.2 - Perl prereq
Perl modules:
Apache::Session, Net::LDAP, MIME::Base64, CGI, LWP::UserAgent, Cache::Cache,
DBI, XML::Simple, SOAP::Lite, HTML::Template, XML::LibXML, XML::LibXSLT
Perl modules: use `perl scripts/dependencies-list.pl` to see needed list
With Debian:
apt-get install libapache-session-perl libnet-ldap-perl libcache-cache-perl \
libdbi-perl perl-modules libwww-perl libcache-cache-perl \
libxml-simple-perl libhtml-template-perl libsoap-lite-perl \
libxml-libxml-perl libxml-libxslt-perl
apt-get build-dep lemonldap-ng
1.2 - BUILDING
--------------
@ -52,6 +47,8 @@ With Debian:
By default, all is installed in /usr/local/lemonldap-ng except Perl libraries
which are installed in a directory included in @INC.
Documentation is then available in /usr/local/lemonldap-ng/doc
1.2.2 - Install on Debian
$ tar xzf lemonldap-ng-*.tar.gz
@ -62,223 +59,4 @@ which are installed in a directory included in @INC.
Here, all is installed in /var/lib/lemonldap-ng, /etc/lemonldap-ng except Perl
libraries which are installed in /usr/share/perl5/Lemonldap/NG/
1.3 - EXAMPLE CONFIGURATION
---------------------------
If you have build Debian packages, configuration is done by Debconf. See
/usr/share/doc/liblemonldap-ng-common/README.Debian to use it.
After build, you have a new file named example/apache.conf. You just have to
include this file in Apache configuration:
# in httpd.conf (with Apache1)
include /path/to/lemonldap-ng/source/example/apache.conf
# or in apache2.conf (with Apache2)
include /path/to/lemonldap-ng/source/example/apache2.conf
Modify your /etc/hosts file to include:
127.0.0.1 auth.example.com test1.example.com manager.example.com test2.example.com
Use a browser to connect to http://manager.example.com/ and specify your LDAP
settings. If you don't set managerDn and managerPassword, Lemonldap::NG will
use an anonymous bind to find user dn.
Next, restart Apache use your prefered browser and try to connect to
http://test1.example.com/. You'll be redirect to auth.example.com. Try
to authenticate yourself with a valid account and the protected page will
appear. You will find other explanations on this page.
the file /usr/local/lemonldap-ng/etc/storage.conf
(/etc/lemonldap-ng/storage.conf on Debian systems) can be modified to change
configuration database.
-------------------------
2 - ADVANCED INSTALLATION
-------------------------
It is recommended to install the example first then to adapt it.
2.1 - PREREQ
2.1.1 - Apache
To use Lemonldap::NG, you have to run a LDAP server and of course an Apache
server compiled with mod-perl (version 1.3 or 2.x). Generaly, the version of
Apache proposed with your Linux distribution match, but some distributions used
an experimental version of mod_perl with Apache2 (mod_perl-1.99) which does
not work with Lemonldap::NG. With such distributions (like Debian-3.1), you
have to use Apache-1.3 or to use a mod_perl backport (www.backports.org
package for Debian works fine).
For Apache2, you can use both mpm-worker and mpm-prefork. Mpm-worker works
faster and Lemonldap::NG use the thread system for best performance. If you
have to use mpm-prefork (for example if you use PHP), Lemonldap::NG will work
anyway.
You can use Lemonldap::NG in an heterogene world: the authentication portal and
the manager can work in any version of Apache 1.3 or more even if mod_perl is
not compiled, with ModPerl::Registry or not... Only the handler (site protector)
need mod_perl. The different handlers can run on different servers with
different versions of Apache/mod_perl.
2.1.2 - Perl prereq
Warning: Handler and Portal parts both need Lemonldap::NG::Manager components
to access to configuration.
Manager:
--------
Apache::Session, MIME::Base64, CGI, LWP::UserAgent, DBI, XML::Simple,
SOAP::Lite, XML::LibXML, XML::LibXSLT, Lemonldap::NG::Common
With Debian:
apt-get install perl-modules libxml-simple-perl libdbi-perl libwww-perl
# If you want to use SOAP
apt-get install libsoap-lite-perl
Portal:
-------
Apache::Session, Net::LDAP, MIME::Base64, CGI, Cache::Cache, DBI, XML::Simple,
SOAP::Lite, HTML::Template, XML::LibXML, Lemonldap::NG::Common
With Debian:
apt-get install libapache-session-perl libnet-ldap-perl perl-modules
Handler:
--------
Apache::Session, MIME::Base64, CGI, LWP::UserAgent, Cache::Cache, DBI,
XML::Simple, SOAP::Lite, Lemonldap::NG::Common
With Debian:
apt-get install libapache-session-perl libwww-perl libcache-cache-perl
2.2 - SOFTWARE INSTALLATION
---------------------------
If you just want to install a handler or a portal or a manager:
$ tar xzf lemonldap-ng-*.tar.gz
$ cd lemonldap-ng-*/Lemonldap-NG-(Portal|Handler|Manager)
$ perl Makefile.PL && make && make test
$ sudo make install
else for a complete install:
$ tar xzf lemonldap-ng-*.tar.gz
$ cd lemonldap-ng-*
$ make && make test
$ sudo make install
See prereq in §1.1.2
2.3 - LEMONLDAP::NG INSTALLATION
--------------------------------
2.3.1 - Database configuration
2.3.1.1 - Lemonldap::NG Configuration database
If you use DBI or another system to share Lemonldap::NG configuration, you have
to initialize the database. An example is given in example/lmConfig.mysql for
MySQL.
2.3.1.2 - Apache::Session database
The choice of Apache::Session::* module is free. See Apache::Session::Store::*
or Apache::Session::* to know how to configure the module. For example, if you
want to use Apache::Session::MySQL, you can create the database like this:
CREATE DATABASE sessions (
id char(32),
a_session text
);
2.3.2 - Manager configuration
Copy example/manager.cgi and personalize it if you want (see
Lemonldap::NG::Manager). You have to set in particular configStorage. For
example with MySQL:
$my $manager = Lemonldap::NG::Manager->new ( {
dbiChain => "DBI:mysql:database=mybase;host=1.2.3.4",
dbiUser => "lemonldap-ng",
dbiPassword => "mypass",
} );
Securise Manager access with Apache: Lemonldap::NG does not securise the manager
itself yet:
SSLEngine On
Order Deny, Allow
Deny from all
Allow from admin-network/netmask
AuthType Basic
...
After configuration, you can also protect the manager with an Lemonldap::NG
handler.
2.3.3 - Configuration edition
Connect to the manager with your browser start configure your Web-SSO. You have
to set at least some parameters:
a) General parameters :
* Authentication parameters -> portal : URL to access to the authentication
portal
* Domain : the cookie domain. All protected VirtualHosts have to be under it
* LDAP parameters -> LDAP Server
* LDAP parameters -> LDAP Accout and password : required only if anonymous
binds are not accepted
* Session Storage -> Apache::Session module : how to store user sessions.
You can use all module that
inherit from Apache::Session
like Apache::Session::MySQL
* Session Storage -> Apache::Session Module parameters :
see Apache::Session::<Choosen module>
b) User groups :
Use the "New Group" button to add your first group. On the left, set the
keyword which will be used later and set on the right the corresponding rule:
you can use :
* an LDAP filter (it will be tested with the user uid)
or
* a Perl condition enclosed with {}. All variables declared in "General
parameters -> LDAP attributes" can be used with a "$". For example:
MyGroup / { $uid eq "foo" or $uid eq "bar" }
c) Virtual hosts
You have to create a virtual host for each Apache host (virtual or real)
protected by Lemonldap::NG even if just a sub-directory is protected. Else,
user who want to access to the protected area will be rejected with a "500
Internal Server Error" message and the apache logs will explain the problem.
Each virtual host has 2 groups of parameters:
* Headers: the headers added to the apache request. Default :
Auth-User => $uid
* Rules: subdivised in 2 categories:
* default : the default rule
* personalized rules: association of a Perl regular expression and
a condition. For example:
^/restricted.*$ / $groups =~ /\bMyGroup\b/
-------------
3 - DEBUGGING
-------------
Lemonldap::NG uses simply the Apache log system. So use LogLevel to choose
information to display.
Documentation is then available in /usr/share/doc/lemonldap-ng

5
Makefile
View File

@ -475,6 +475,7 @@ e2e-tests/conf/apache2.pid: start_web_server
start_web_server: all prepare_test_server
# Clean old server if launched
mkdir -p e2e-tests/conf
@if test "$(TESTBACKEND)" = "DBI"; then \
echo 'create table lmConfig (cfgNum int, data text);'|sqlite3 e2e-tests/conf/config.db; \
echo 'create table sessions (id text, a_session text, LastUpdated int);'|sqlite3 e2e-tests/conf/sessions.db; \
@ -1164,13 +1165,13 @@ test-diff:
done
tidy: clean
@if perltidy -v|grep v20210717 >/dev/null; then \
@if perltidy -v|grep v20220217 >/dev/null; then \
for f in `find lemon*/ -type f \( -name '*.pm' -or -name '*.pl' -or -name '*.fcgi' -or -name '*.t' \)`; do \
echo -n $$f; \
perltidy -se -b $$f; \
echo; \
done; \
else echo "Wrong perltidy version, please install Perl::Tidy@20210717" ; exit 1 ;\
else echo "Wrong perltidy version, please install Perl::Tidy@20220217" ; exit 1 ;\
fi
find lemon*/ -name '*.bak' -delete
$(MAKE) json

13
debian/control vendored
View File

@ -64,7 +64,7 @@ Build-Depends-Indep: gsfonts <!nocheck>,
python3-sphinx,
python3-sphinx-bootstrap-theme,
perl
Standards-Version: 4.6.0
Standards-Version: 4.6.1
Vcs-Browser: https://salsa.debian.org/perl-team/modules/packages/lemonldap-ng
Vcs-Git: https://salsa.debian.org/perl-team/modules/packages/lemonldap-ng.git
Homepage: https://lemonldap-ng.org/
@ -138,6 +138,17 @@ Description: Lemonldap::NG FastCGI server
Lemonldap::NG FastCGI server provides a Nginx auth_request server that handles
also LLNG Portal and Manager.
Package: liblemonldap-ng-ssoaas-apache-client-perl
Architecture: all
Section: web
Depends: ${misc:Depends},
${perl:Depends}
Breaks: liblemonldap-ng-handler-perl (<< 2.0.14~)
Description: Lemonldap::NG SSOaaS client for Apache
Lemonldap::NG is a complete Web-SSO system that provides a SSO-as-a-Service
system, natively usable with Nginx. Lemonldap::NG::SSOaaS::Apache::Client
permits one to enroll an Apache server into Lemonldap::NG's SSOaaS service.
Package: lemonldap-ng-uwsgi-app
Architecture: all
Section: web

2
debian/liblemonldap-ng-ssoaas-apache-client-perl.install vendored Normal file
View File

@ -0,0 +1,2 @@
usr/share/perl5/Lemonldap/NG/SSOaaS/Apache
usr/share/man/man3/Lemonldap::NG::SSOaaS::Apache*

5
doc/pages/manager-api/index.html
View File

@ -764,7 +764,7 @@
"type" : "object",
"properties" : {
"service" : {
"type" : "string"
"type" : "array"
},
"userAttribute" : {
"type" : "string",
@ -880,6 +880,9 @@
"type" : "string",
"format" : "url"
},
"logoutBypassConfirm" : {
"type" : "boolean"
},
"clientSecret" : {
"type" : "string",
"format" : "password"

37
doc/sources/admin/authcas.rst
View File

@ -63,23 +63,48 @@ Then, go in ``CAS parameters``:
- **Authentication level**: authentication level for this module.
Then create the list of CAS servers in the manager. For each, set:
Then create the list of CAS servers in the manager.
Options
~~~~~~~
- **Server URL** *(required)*: CAS server URL (must use https://)
- **Renew authentication** *(default: disabled)*: force authentication
renewal on CAS server
- **Gateways authentication** *(default: disabled)*: force transparent
authentication on CAS server
Proxied services
~~~~~~~~~~~~~~~~
In this section, set the list of services for which a proxy ticket is
requested:
- **Key**: Service ID
- **Value** Service URL (CAS service identifier)
Display
~~~~~~~
- **Display Name**: Name to display. Required if you have more than 1
CAS server declared
- **Icon**: Path to CAS Server icon. Used only if you have more than 1
CAS server declared
- **Order**: Number to sort CAS Servers display
- **Proxied services**: list of services for which a proxy ticket is
requested:
- **Resolution Rule**: rule that will be applied to preselect a CAS server for
a user. You have access to all environment variable *(like user IP address)*
and all session keys.
- **Key**: Service ID
- **Value** Service URL (CAS service identifier)
For example, to preselect this server for users coming from 129.168.0.0/16
network
::
$ENV{REMOTE_ADDR} =~ /^192\.168/
To preselect this server when the ``MY_SRV`` :doc:`choice <authchoice>` is selected ::
$_choice eq "MY_SRV"
- **Order**: Number to sort CAS Servers display
.. tip::

10
doc/sources/admin/authldap.rst
View File

@ -74,12 +74,12 @@ Connection
- More than one server can be set here separated by spaces or
commas. They will be tested in the specified order.
- To use TLS, set ``ldap+tls://server`` and to use LDAPS, set
- To use StartTLS, set ``ldap+tls://server`` and to use LDAPS, set
``ldaps://server`` instead of server name.
- If you use TLS, you can set any of the
- If you use StartTLS or LDAPS, you can set any of the
`Net::LDAP <http://search.cpan.org/~gbarr/perl-ldap/lib/Net/LDAP.pod>`__
start_tls() sub like
``ldap+tls://server/verify=none&capath=/etc/ssl``. You can
start_tls() options in the URL, such as ``ldap+tls://server/verify=none``
or ``ldaps://server/cafile=/etc/ssl/ca.pem&sslversion=tlsv1_2``. You can
also use cafile and capath parameters.
- **Server port**: TCP port used by LDAP server if different from the standard
@ -208,7 +208,7 @@ Password
- **Allow a user to reset his expired password**: if activated, the
user will be prompted to change password if his password is expired
(default: disabled)
- **Search for user before password change**: this option forces the password
- **Search for user before password change**: this option forces the password
change module to search for the user again, refreshing its DN. This feature
is only useful in rare cases when you use LDAP as the password module, but
not as the UserDB module. (default: enabled)

81
doc/sources/admin/authopenidconnect.rst
View File

@ -210,42 +210,59 @@ So you can define by example:
Options
^^^^^^^
- **Configuration**:
Configuration
"""""""""""""
- **Configuration endpoint**: URL of OP configuration endpoint
- **JWKS data timeout**: After this time, LL::NG will do a request
to get a fresh version of JWKS data. Set to 0 to disable it.
- **Client ID**: Client ID given by OP
- **Client secret**: Client secret given by OP
- **Store ID token**: Allows one to store the ID Token (JWT) inside
user session. Do not enable it unless you need to replay this token
on an application, or if you need the id_token_hint parameter when
using logout.
- **Configuration endpoint**: URL of OP configuration endpoint
- **JWKS data timeout**: After this time, LL::NG will do a request
to get a fresh version of JWKS data. Set to 0 to disable it.
- **Client ID**: Client ID given by OP
- **Client secret**: Client secret given by OP
- **Store ID token**: Allows one to store the ID Token (JWT) inside
user session. Do not enable it unless you need to replay this token
on an application, or if you need the id_token_hint parameter when
using logout.
- **Protocol**:
Protocol
""""""""
- **Scope**: Value of scope parameter (example: openid profile). The
``openid`` scope is mandatory.
- **Display**: Value of display parameter (example: page)
- **Prompt**: Value of prompt parameter (example: consent)
- **Max age**: Value of max_age parameter (example: 3600)
- **UI locales**: Value of ui_locales parameter (example: en-GB en
fr-FR fr)
- **ACR values**: Value acr_values parameters (example: loa-1)
- **Token endpoint authentication method**: Choice between
``client_secret_post`` and ``client_secret_basic``
- **Check JWT signature**: Set to 0 to disable JWT signature
checking
- **ID Token max age**: If defined, LL::NG will check the ID Token
date and reject it if too old
- **Use Nonce**: If enabled, a nonce will be sent, and verified from
the ID Token
- **Scope**: Value of scope parameter (example: openid profile). The
``openid`` scope is mandatory.
- **Display**: Value of display parameter (example: page)
- **Prompt**: Value of prompt parameter (example: consent)
- **Max age**: Value of max_age parameter (example: 3600)
- **UI locales**: Value of ui_locales parameter (example: en-GB en
fr-FR fr)
- **ACR values**: Value acr_values parameters (example: loa-1)
- **Token endpoint authentication method**: Choice between
``client_secret_post`` and ``client_secret_basic``
- **Check JWT signature**: Set to 0 to disable JWT signature
checking
- **ID Token max age**: If defined, LL::NG will check the ID Token
date and reject it if too old
- **Use Nonce**: If enabled, a nonce will be sent, and verified from
the ID Token
Display
"""""""
- **Display**:
- **Display name**: Name of the application
- **Logo**: Logo of the application
- **Resolution Rule**: rule that will be applied to preselect an OP
for a user. You have access to all environment variable *(like user
IP address)* and all session keys.
- **Display name**: Name of the application
- **Logo**: Logo of the application
- **Order**: Number to sort buttons
For example, to preselect this OP for users coming from 129.168.0.0/16
network
::
$ENV{REMOTE_ADDR} =~ /^192\.168/
To preselect this OP when the ``MY_OP`` :doc:`choice <authchoice>` is selected ::
$_choice eq "MY_OP"
- **Order**: Number to sort buttons
.. attention::
@ -254,4 +271,4 @@ Options
with ``verify_hostname => 0`` and ``SSL_verify_mode => 0``.
Go to: ``General Parameters > Advanced Parameters > Security > SSL options for server requests``
Go to: ``General Parameters > Advanced Parameters > Security > SSL options for server requests``

33
doc/sources/admin/authsaml.rst
View File

@ -111,20 +111,6 @@ For each attribute, you can set:
Options
^^^^^^^
General options
'''''''''''''''
- **Resolution Rule**: rule that will be applied to preselect an IDP
for a user. You have access to all environment variable *(like user
IP address)* and all session keys.
For example, to preselect this IDP for users coming from 129.168.0.0/16
network and member of "admin" group:
::
$ENV{REMOTE_ADDR} =~ /^192\.168/ and $groups =~ /\badmin\b/
Authentication request
''''''''''''''''''''''
@ -212,8 +198,6 @@ Used only if at least 2 SAML Identity Providers are declared
- **Display name**: Name of the IDP
- **Logo**: Logo of the IDP
- **Order**: Number used for sorting IDP display
.. tip::
@ -222,6 +206,23 @@ Used only if at least 2 SAML Identity Providers are declared
icon file name directly in the field and copy the logo file in portal
icons directory
- **Resolution Rule**: rule that will be applied to preselect an IDP
for a user. You have access to all environment variable *(like user
IP address)* and all session keys.
For example, to preselect this IDP for users coming from 129.168.0.0/16
network
::
$ENV{REMOTE_ADDR} =~ /^192\.168/
To preselect this IDP when the ``MY_IDP`` :doc:`choice <authchoice>` is selected ::
$_choice eq "MY_IDP"
- **Order**: Number used for sorting IDP display
.. |image0| image:: /documentation/manager-saml-metadata.png
:class: align-center
.. |image1| image:: /documentation/manager-saml-attributes.png

15
doc/sources/admin/captcha.rst
View File

@ -31,3 +31,18 @@ Go in ``General parameters`` > ``Portal`` > ``Captcha``:
- **Activation in register form**: set to 1 to display captcha in
register form
- **Size**: length of captcha
- **Captcha module**: allows you to use a custom Captcha module, see
:ref:`below <customcaptcha>`. Leave it blank to use the default Captcha
implementation
- **Captcha module options**: options for the custom Captcha module
.. _customcaptcha:
Custom Captcha modules
----------------------
.. versionadded:: 2.0.15
If the default Captcha does not meet your requirements, you can replace it with
a different implementation. See the ``Lemonldap::NG::Portal::Captcha`` manual
page for details on how to implement a Captcha module.

2
doc/sources/admin/conf.py
View File

@ -50,7 +50,7 @@ master_doc = 'start'
# General information about the project.
project = u'LemonLDAP::NG'
copyright = u'2021, LemonLDAP::NG'
copyright = u'2022, LemonLDAP::NG'
author = u'LemonLDAP::NG'
# The version info for the project you're documenting, acts as replacement for

15
doc/sources/admin/configlocation.rst
View File

@ -128,6 +128,21 @@ configuration.
instanceName = LLNG_Demo
.. tip::
It is possible to use environment variable placeholders anywhere in
configuration. Those placeholders will be replaced by each LLNG component
using environment variables set locally.
The format is: ``%SERVERENV:VariableName%``.
To enable this feature, you must edit ``lemonldap-ng.ini`` to set
``useServerEnv`` value in [configuration] section:
.. code:: ini
[configuration]
useServerEnv = 1
Manager API
-----------

16
doc/sources/admin/decryptvalue.rst
View File

@ -16,19 +16,19 @@ DecryptValue plugin can be allowed or denied for specific users.
- **Use rule**: Select which users may use this plugin
- **Decrypt functions**: Set functions used for decrypting ciphered
values. Each function is tested until one succeeds. Let it blank
to use internal decrypt function.
to use internal ``decrypt`` extended function.
.. danger::
.. attention::
The ciphered value is the first parameter passed to custom functions.
The ``Encryption key`` is passed to custom funtions as second parameter
(see :ref:`Security settings<security-configure-security-settings>`).
Custom functions must be defined into
``Lemonldap::NG::Portal::My::Plugin`` and set:
``My::Plugin`` and set:
::
My::Plugin::function1 My::Plugin::function2
.. |image0| image:: /documentation/beta.png
:width: 100px

9
doc/sources/admin/documentation.rst
View File

@ -57,14 +57,14 @@ Debian dist LL::NG version
=========== ========================== ======================================== ===================================================== ============================================================ =================================== =============================================================
*6* *Squeeze* *0.9.4.1* |maybe| No known vulnerability *None* *February 2016* *April 2019*
*7* *Wheezy* `1.1.2 </documentation/1.1/>`__ |maybe| No known vulnerability *None* *May 2018* *June 2020*
**8** Jessie `1.3.3 </documentation/1.3/>`__ |clean| CVE-2019-19791 tagged as minor **None** [1]_ June 2020 June 2022, possibly 2024
**9** Stretch `1.9.7 </documentation/1.9/>`__ |clean| CVE-2019-19791 tagged as minor `Debian LTS Team <https://www.debian.org/lts/>`__ June 2022 Probably 2024
*8* *Jessie* `1.3.3 </documentation/1.3/>`__ |maybe| CVE-2019-19791 tagged as minor **None** [1]_ June 2020 *June 2022*
*9* *Stretch* `1.9.7 </documentation/1.9/>`__ |maybe| CVE-2019-19791 tagged as minor `Debian LTS Team <https://www.debian.org/lts/>`__ June 2022 Possibly 2024
\ *Stretch-backports* `2.0.2 </documentation/2.0/>`__ |bad| CVE-2019-12046, CVE-2019-13031, CVE-2019-15941 *None* *June 2019*
\ *Stretch-backports-sloppy* `2.0.11 </documentation/2.0/>`__ |maybe| *None* *August 2021*
**10** Buster `2.0.2 </documentation/2.0/>`__ |clean| CVE-2019-19791 tagged as minor `Debian Security Team <https://security-team.debian.org/>`__ June 2024 Probably 2026
**10** Buster `2.0.2 </documentation/2.0/>`__ |clean| CVE-2019-19791 tagged as minor `Debian Security Team <https://security-team.debian.org/>`__ June 2024 June 2026
\ Buster-backports `2.0.14 </documentation/2.0/>`__ |clean| LL::NG Team, "best effort" [3]_ Maybe until Debian 12 release [4]_
\ *Buster-backports-sloppy* *Adds libauthen-webauthn-perl only* |clean| LL::NG Team, "best effort" [3]_ June 2024
**11** Bullseye `2.0.11 </documentation/2.0/>`__ |clean| `Debian Security Team <https://security-team.debian.org/>`__ July 2026 Probably 2028
**11** Bullseye `2.0.11 </documentation/2.0/>`__ |clean| `Debian Security Team <https://security-team.debian.org/>`__ July 2026 June 2028
\ Bullseye-backports `2.0.14 </documentation/2.0/>`__ |clean| LL::NG Team, "best effort" [3]_ Maybe until Debian 13 release [4]_
**Next** Testing/Unstable Latest [5]_ |clean| LL::NG Team
=========== ========================== ======================================== ===================================================== ============================================================ =================================== =============================================================
@ -91,6 +91,7 @@ Ubuntu dist LL::NG version Secured
20.04 Focal [9]_ `2.0.7 </documentation/2.0/>`__ |bad| CVE-2020-24660, CVE-2021-35472, CVE-2021-35473, CVE-2021-40874 None
20.10 Groovy `2.0.8 </documentation/2.0/>`__ |bad| CVE-2020-24660, CVE-2021-35472, CVE-2021-35473, CVE-2021-40874 None
21.04 Hirsute `2.0.11 </documentation/2.0/>`__ |bad| CVE-2021-35472, CVE-2021-35473, CVE-2021-40874 None
22.04 Jammy `2.0.13 </documentation/2.0/>`__ |bad| CVE-2021-40874 None
=========== ============= ================================ ==================================================================== ===========
Bug report

210
doc/sources/admin/error_codes.rst
View File

@ -5,109 +5,109 @@ Error codes list
This page references all Portal error codes.
.. code-block:: perl
PE_IDPCHOICE => -5,
PE_SENDRESPONSE => -4,
PE_INFO => -3,
PE_REDIRECT => -2,
PE_DONE => -1,
PE_OK => 0,
PE_SESSIONEXPIRED => 1,
PE_FORMEMPTY => 2,
PE_WRONGMANAGERACCOUNT => 3,
PE_USERNOTFOUND => 4,
PE_BADCREDENTIALS => 5,
PE_LDAPCONNECTFAILED => 6,
PE_LDAPERROR => 7,
PE_APACHESESSIONERROR => 8,
PE_FIRSTACCESS => 9,
PE_BADCERTIFICATE => 10,
PE_NO_PASSWORD_BE => 20,
PE_PP_ACCOUNT_LOCKED => 21,
PE_PP_PASSWORD_EXPIRED => 22,
PE_CERTIFICATEREQUIRED => 23,
PE_ERROR => 24,
PE_PP_CHANGE_AFTER_RESET => 25,
PE_PP_PASSWORD_MOD_NOT_ALLOWED => 26,
PE_PP_MUST_SUPPLY_OLD_PASSWORD => 27,
PE_PP_INSUFFICIENT_PASSWORD_QUALITY => 28,
PE_PP_PASSWORD_TOO_SHORT => 29,
PE_PP_PASSWORD_TOO_YOUNG => 30,
PE_PP_PASSWORD_IN_HISTORY => 31,
PE_PP_GRACE => 32,
PE_PP_EXP_WARNING => 33,
PE_PASSWORD_MISMATCH => 34,
PE_PASSWORD_OK => 35,
PE_NOTIFICATION => 36,
PE_BADURL => 37,
PE_NOSCHEME => 38,
PE_BADOLDPASSWORD => 39,
PE_MALFORMEDUSER => 40,
PE_SESSIONNOTGRANTED => 41,
PE_CONFIRM => 42,
PE_MAILFORMEMPTY => 43,
PE_BADMAILTOKEN => 44,
PE_MAILERROR => 45,
PE_MAILOK => 46,
PE_LOGOUT_OK => 47,
PE_SAML_ERROR => 48,
PE_SAML_LOAD_SERVICE_ERROR => 49,
PE_SAML_LOAD_IDP_ERROR => 50,
PE_SAML_SSO_ERROR => 51,
PE_SAML_UNKNOWN_ENTITY => 52,
PE_SAML_DESTINATION_ERROR => 53,
PE_SAML_CONDITIONS_ERROR => 54,
PE_SAML_IDPSSOINITIATED_NOTALLOWED => 55,
PE_SAML_SLO_ERROR => 56,
PE_SAML_SIGNATURE_ERROR => 57,
PE_SAML_ART_ERROR => 58,
PE_SAML_SESSION_ERROR => 59,
PE_SAML_LOAD_SP_ERROR => 60,
PE_SAML_ATTR_ERROR => 61,
PE_OPENID_EMPTY => 62,
PE_OPENID_BADID => 63,
PE_MISSINGREQATTR => 64,
PE_BADPARTNER => 65,
PE_MAILCONFIRMATION_ALREADY_SENT => 66,
PE_PASSWORDFORMEMPTY => 67,
PE_CAS_SERVICE_NOT_ALLOWED => 68,
PE_MAILFIRSTACCESS => 69,
PE_MAILNOTFOUND => 70,
PE_PASSWORDFIRSTACCESS => 71,
PE_MAILCONFIRMOK => 72,
PE_RADIUSCONNECTFAILED => 73,
PE_MUST_SUPPLY_OLD_PASSWORD => 74,
PE_FORBIDDENIP => 75,
PE_CAPTCHAERROR => 76,
PE_CAPTCHAEMPTY => 77,
PE_REGISTERFIRSTACCESS => 78,
PE_REGISTERFORMEMPTY => 79,
PE_REGISTERALREADYEXISTS => 80,
PE_NOTOKEN => 81,
PE_TOKENEXPIRED => 82,
PE_U2FFAILED => 83,
PE_UNAUTHORIZEDPARTNER => 84,
PE_RENEWSESSION => 85,
PE_WAIT => 86,
PE_MUSTAUTHN => 87,
PE_MUSTHAVEMAIL => 88,
PE_SAML_SERVICE_NOT_ALLOWED => 89,
PE_OIDC_SERVICE_NOT_ALLOWED => 90,
PE_OID_SERVICE_NOT_ALLOWED => 91,
PE_GET_SERVICE_NOT_ALLOWED => 92,
PE_IMPERSONATION_SERVICE_NOT_ALLOWED => 93,
PE_ISSUERMISSINGREQATTR => 94,
PE_DECRYPTVALUE_SERVICE_NOT_ALLOWED => 95,
PE_BADOTP => 96,
PE_RESETCERTIFICATE_INVALID => 97,
PE_RESETCERTIFICATE_FORMEMPTY => 98,
PE_RESETCERTIFICATE_FIRSTACCESS => 99,
PE_PP_NOT_ALLOWED_CHARACTER => 100,
PE_PP_NOT_ALLOWED_CHARACTERS => 101,
PE_UPGRADESESSION => 102,
PE_NO_SECOND_FACTORS => 103,
PE_BAD_DEVOPS_FILE => 104,
PE_FILENOTFOUND => 105,
PE_OIDC_AUTH_ERROR => 106
```
PE_IDPCHOICE => -5,
PE_SENDRESPONSE => -4,
PE_INFO => -3,
PE_REDIRECT => -2,
PE_DONE => -1,
PE_OK => 0,
PE_SESSIONEXPIRED => 1,
PE_FORMEMPTY => 2,
PE_WRONGMANAGERACCOUNT => 3,
PE_USERNOTFOUND => 4,
PE_BADCREDENTIALS => 5,
PE_LDAPCONNECTFAILED => 6,
PE_LDAPERROR => 7,
PE_APACHESESSIONERROR => 8,
PE_FIRSTACCESS => 9,
PE_BADCERTIFICATE => 10,
PE_NO_PASSWORD_BE => 20,
PE_PP_ACCOUNT_LOCKED => 21,
PE_PP_PASSWORD_EXPIRED => 22,
PE_CERTIFICATEREQUIRED => 23,
PE_ERROR => 24,
PE_PP_CHANGE_AFTER_RESET => 25,
PE_PP_PASSWORD_MOD_NOT_ALLOWED => 26,
PE_PP_MUST_SUPPLY_OLD_PASSWORD => 27,
PE_PP_INSUFFICIENT_PASSWORD_QUALITY => 28,
PE_PP_PASSWORD_TOO_SHORT => 29,
PE_PP_PASSWORD_TOO_YOUNG => 30,
PE_PP_PASSWORD_IN_HISTORY => 31,
PE_PP_GRACE => 32,
PE_PP_EXP_WARNING => 33,
PE_PASSWORD_MISMATCH => 34,
PE_PASSWORD_OK => 35,
PE_NOTIFICATION => 36,
PE_BADURL => 37,
PE_NOSCHEME => 38,
PE_BADOLDPASSWORD => 39,
PE_MALFORMEDUSER => 40,
PE_SESSIONNOTGRANTED => 41,
PE_CONFIRM => 42,
PE_MAILFORMEMPTY => 43,
PE_BADMAILTOKEN => 44,
PE_MAILERROR => 45,
PE_MAILOK => 46,
PE_LOGOUT_OK => 47,
PE_SAML_ERROR => 48,
PE_SAML_LOAD_SERVICE_ERROR => 49,
PE_SAML_LOAD_IDP_ERROR => 50,
PE_SAML_SSO_ERROR => 51,
PE_SAML_UNKNOWN_ENTITY => 52,
PE_SAML_DESTINATION_ERROR => 53,
PE_SAML_CONDITIONS_ERROR => 54,
PE_SAML_IDPSSOINITIATED_NOTALLOWED => 55,
PE_SAML_SLO_ERROR => 56,
PE_SAML_SIGNATURE_ERROR => 57,
PE_SAML_ART_ERROR => 58,
PE_SAML_SESSION_ERROR => 59,
PE_SAML_LOAD_SP_ERROR => 60,
PE_SAML_ATTR_ERROR => 61,
PE_OPENID_EMPTY => 62,
PE_OPENID_BADID => 63,
PE_MISSINGREQATTR => 64,
PE_BADPARTNER => 65,
PE_MAILCONFIRMATION_ALREADY_SENT => 66,
PE_PASSWORDFORMEMPTY => 67,
PE_CAS_SERVICE_NOT_ALLOWED => 68,
PE_MAILFIRSTACCESS => 69,
PE_MAILNOTFOUND => 70,
PE_PASSWORDFIRSTACCESS => 71,
PE_MAILCONFIRMOK => 72,
PE_RADIUSCONNECTFAILED => 73,
PE_MUST_SUPPLY_OLD_PASSWORD => 74,
PE_FORBIDDENIP => 75,
PE_CAPTCHAERROR => 76,
PE_CAPTCHAEMPTY => 77,
PE_REGISTERFIRSTACCESS => 78,
PE_REGISTERFORMEMPTY => 79,
PE_REGISTERALREADYEXISTS => 80,
PE_NOTOKEN => 81,
PE_TOKENEXPIRED => 82,
PE_U2FFAILED => 83,
PE_UNAUTHORIZEDPARTNER => 84,
PE_RENEWSESSION => 85,
PE_WAIT => 86,
PE_MUSTAUTHN => 87,
PE_MUSTHAVEMAIL => 88,
PE_SAML_SERVICE_NOT_ALLOWED => 89,
PE_OIDC_SERVICE_NOT_ALLOWED => 90,
PE_OID_SERVICE_NOT_ALLOWED => 91,
PE_GET_SERVICE_NOT_ALLOWED => 92,
PE_IMPERSONATION_SERVICE_NOT_ALLOWED => 93,
PE_ISSUERMISSINGREQATTR => 94,
PE_DECRYPTVALUE_SERVICE_NOT_ALLOWED => 95,
PE_BADOTP => 96,
PE_RESETCERTIFICATE_INVALID => 97,
PE_RESETCERTIFICATE_FORMEMPTY => 98,
PE_RESETCERTIFICATE_FIRSTACCESS => 99,
PE_PP_NOT_ALLOWED_CHARACTER => 100,
PE_PP_NOT_ALLOWED_CHARACTERS => 101,
PE_UPGRADESESSION => 102,
PE_NO_SECOND_FACTORS => 103,
PE_BAD_DEVOPS_FILE => 104,
PE_FILENOTFOUND => 105,
PE_OIDC_AUTH_ERROR => 106
```

357
doc/sources/admin/extendedfunctions.rst
View File

@ -18,12 +18,12 @@ This is also true for:
Inside this jail, you can access to:
* all session values and CGI environment variables (through `$ENV{<HTTP_NAME>}`)
* All session values and CGI environment variables (through `$ENV{<HTTP_NAME>}`)
* Core Perl subroutines (split, pop, map, etc.)
* :doc:`Custom functions<customfunctions>`
* The `encode_base64 <http://perldoc.perl.org/MIME/Base64.html>`__ subroutine
* Information about current request
* Extended functions:
* Extended functions except basic, iso2unicode and unicode2iso:
* basic_
* checkDate_
@ -36,9 +36,11 @@ Inside this jail, you can access to:
* inGroup_ (|new| in version 2.0.8)
* isInNet6_
* iso2unicode_
* iso2unicodeSafe_ (|new| in version 2.0.15)
* listMatch_ (|new| in version 2.0.7)
* token_
* unicode2iso_
* unicode2isoSafe_ (|new| in version 2.0.15)
* varIsInUri_ (|new| in version 2.0.7)
@ -53,48 +55,71 @@ Inside this jail, you can access to:
Extended Functions List
-----------------------
date
~~~~
basic
~~~~~
Returns the date, in format YYYYMMDDHHMMSS, local time by default, GMT
by calling ``date(1)``
.. attention::
::
This function is not compliant with the :doc:`Safe jail<safejail>`,
you will have to disable the jail to use it.
For example: date(1) lt '19551018080000'
dateToTime
~~~~~~~~~~
This function builds the ``Authorization`` HTTP header employed in
:doc:`HTTP Basic authentication scheme<applications/authbasic>`. It will
convert `user` and `password` parameters from UTF-8 to ISO-8859-1.
.. versionadded:: 2.0.12
Functions parameters:
Converts a string date into epoch time.
The date format is the LDAP date syntax, for example for the 1st March
2009 (GMT):
::
20090301000000Z
The date may end with a differential timezone that is interpreted to
adjust the epoch time, for example for the 1st March 2009 (+0100):
::
20090301000000+0100
- **user**
- **password**
Simple usage example:
::
dateToTime($ssoStartDate) lt dateToTime(date(1))
basic($uid,$_password)
checkDate
~~~~~~~~~
This function checks date of current request, and compare it to
a start date and an end date. It returns 1 if this matches, 0 else.
The date format corresponds to LDAP date syntax, for example for the 1st of March
2009 (GMT)
::
20090301000000Z
|new| Since version 2.0.12, the date may end with a differential timezone,
for example for the 1st of March 2009 (+0100):
::
20090301000000+0100
Functions parameters:
- **start**: Start date (GMT unless, |new| since version 2.0.12, a
differential timezone is included)
- **end**: End date (GMT unless, |new| since version 2.0.12, a
differential timezone is included)
- **default_access** (optional): Which result to return if **start** and
**end** dates are empty
Simple usage example:
::
checkDate($ssoStartDate, $ssoEndDate)
checkLogonHours
~~~~~~~~~~~~~~~
This function will check the day and the hour of current request, and
compare it to allowed days and hours. It returns 1 if this match, 0
This function checks the day and the hour of current request, and
compare it to allowed days and hours. It returns 1 if matches, 0
else. By default, the allowed days and hours is an hexadecimal
value, representing each hour of the week. A day has 24 hours, and a
week 7 days, so the value contains 168 bits, converted into 42
@ -112,12 +137,12 @@ For example, for a full access, excepted week-end:
You can use the binary value from the logonHours attribute of Active
Directory, or create a custom attribute in your LDAP schema.
Functions parameters:
Function parameters:
- **logon_hours**: string representing allowed logon hours (GMT)
- **logon_hours**: String representing allowed logon hours (GMT)
- **syntax** (optional): ``hexadecimal`` (default) or ``octetstring``
- **time_correction** (optional): hours to add or to subtract
- **default_access** (optional): what result to return if
- **time_correction** (optional): Hours to add or to subtract
- **default_access** (optional): Which result to return if
**logon_hours** is empty
Simple usage example:
@ -156,113 +181,58 @@ rejected. You can allow these users instead of reject them:
checkLogonHours($ssoLogonHours, '', '', '1')
date
~~~~
checkDate
~~~~~~~~~
This function will check the date of current request, and compare it to
a start date and an end date. It returns 1 if this match, 0 else.
The date format is the LDAP date syntax, for example for the 1st of March
2009 (GMT)
Returns the date, in format YYYYMMDDHHMMSS, local time by default, GMT
by calling ``date(1)``
::
20090301000000Z
For example: date(1) lt '19551018080000'
|new| Since version 2.0.12, the date may end with a differential timezone,
for example for the 1st of March 2009 (+0100):
dateToTime
~~~~~~~~~~
.. versionadded:: 2.0.12
Used for converting a string date into epoch time.
The date format is the LDAP date syntax, for example for the 1st March
2009 (GMT):
::
20090301000000Z
The date may end with a differential timezone that is interpreted to
adjust the epoch time, for example for the 1st March 2009 (+0100):
::
20090301000000+0100
Functions parameters:
- **start**: Start date (GMT unless, |new| since version 2.0.12, a
differential timezone is included)
- **end**: End date (GMT unless, |new| since version 2.0.12, a
differential timezone is included)
- **default_access** (optional): what result to return if **start** and
**end** are empty
Simple usage example:
::
checkDate($ssoStartDate, $ssoEndDate)
dateToTime($ssoStartDate) lt dateToTime(date(1))
encrypt
~~~~~~~
basic
~~~~~
.. tip::
.. attention::
Since version 2.0, this function is now compliant with
:doc:`Safe jail<safejail>`.
This function is not compliant with
:doc:`Safe jail<safejail>`, you will need to disable the jail to use
it.
This function builds the ``Authorization`` HTTP header used in
:doc:`HTTP Basic authentication scheme<applications/authbasic>`. It will
force conversion from UTF-8 to ISO-8859-1 of user and password data.
Functions parameters:
- **user**
- **password**
Simple usage example:
This function uses the secret key of LL::NG configuration to crypt a data.
This can be used for anonymizing identifier given to the protected
application.
::
basic($uid,$_password)
unicode2iso
~~~~~~~~~~~
.. attention::
This function is not compliant with
:doc:`Safe jail<safejail>`, you will need to disable the jail to use
it.
This function convert a string from UTF-8 to ISO-8859-1.
Functions parameters:
- **string**
Simple usage example:
::
unicode2iso($name)
iso2unicode
~~~~~~~~~~~
.. attention::
This function is not compliant with
:doc:`Safe jail<safejail>`, you will need to disable the jail to use
it.
This function convert a string from ISO-8859-1 to UTF-8.
Functions parameters:
- **string**
Simple usage example:
::
iso2unicode($name)
encrypt($_whatToTrace)
groupMatch
~~~~~~~~~~
@ -316,6 +286,71 @@ Example::
$_2fDevices =~ /"type":\s*"TOTP"/s
inGroup
~~~~~~~
.. versionadded:: 2.0.8
This function lets you test if the user is in a given group. It is
case-insensitive.
Usage example:
::
inGroup('admins')
inGroup('test users')
The function returns 1 if the user belongs to the given group, and 0 if
they don't.
isInNet6
~~~~~~~~
Function to check if an IPv6 address is in a subnet. Example *check if
IP address is local*:
.. code-block:: perl
isInNet6($ipAddr, 'fe80::/10')
iso2unicode
~~~~~~~~~~~
.. attention::
This function is not compliant with :doc:`Safe jail<safejail>`.
You will have to disable the jail to use it.
This function converts a string from ISO-8859-1 to UTF-8.
Function parameter:
- **string**
Simple usage example:
::
iso2unicode($name)
iso2unicodeSafe
~~~~~~~~~~~~~~~
This function converts a string from ISO-8859-1 to UTF-8
but it is not as portable as the original one.
Functions parameters:
- **string**
Simple usage example:
::
iso2unicodeSafe($name)
.. _listMatch:
listMatch
@ -346,42 +381,6 @@ Simple usage example:
The function returns 1 if the value was found, and 0 if it was not
found.
inGroup
~~~~~~~
.. versionadded:: 2.0.8
This function lets you test if the user is in a given group. It is
case-insensitive.
Usage example:
::
inGroup('admins')
inGroup('test users')
The function returns 1 if the user belongs to the given group, and 0 if
they don't.
encrypt
~~~~~~~
.. tip::
Since version 2.0, this function is now compliant with
:doc:`Safe jail<safejail>`.
This function uses the secret key of LLNG configuration to crypt a data.
This can be used for anonymizing identifier given to the protected
application.
::
encrypt($_whatToTrace)
token
~~~~~
@ -392,16 +391,6 @@ This function generates token used for
token($_session_id,'webapp1.example.com','webapp2.example.com')
isInNet6
~~~~~~~~
Function to check if an IPv6 address is in a subnet. Example *check if
IP address is local*:
.. code-block:: perl
isInNet6($ipAddr, 'fe80::/10')
varIsInUri
~~~~~~~~~~
@ -433,3 +422,39 @@ Example *check if $uid is in /check-auth/ URI*:
:width: 35px
.. |image1| image:: /documentation/new.png
:width: 35px
unicode2iso
~~~~~~~~~~~
.. attention::
This function is not compliant with :doc:`Safe jail<safejail>`.
You will have to disable the jail to use it.
This function convert a string from UTF-8 to ISO-8859-1.
Function parameter:
- **string**
Simple usage example:
::
unicode2iso($name)
unicode2isoSafe
~~~~~~~~~~~~~~~
This function convert a string from UTF-8 to ISO-8859-1
but it is not as portable as the original one.
Function parameter:
- **string**
Simple usage example:
::
unicode2isoSafe($name)

3
doc/sources/admin/external2f.rst
View File

@ -30,6 +30,9 @@ All parameters are configured in "General Parameters » Portal Parameters
/ Verification to an external provider. You must also use *$code*
which is the value entered by user; Example:
``/usr/local/bin/verify --uid $uid --code $code``
- **Re-send interval**: Set this to a non-empty value to allow the user to
re-send the code in case a transmission error occured. The value sets how
many seconds the user has to wait before each attempt
- **Authentication level** (Optional): if you want to overwrite the
value sent by your authentication module, you can define here the new
authentication level. Example: 5

56
doc/sources/admin/hooks.rst
View File

@ -100,6 +100,7 @@ Sample code::
sub addClaimToUserInfo {
my ( $self, $req, $userinfo, $rp, $session_data) = @_;
my $scope = $session_data->{_scope};
$userinfo->{"userinfo_hook"} = 1;
return PE_OK;
}
@ -178,6 +179,61 @@ Sample code::
}
oidcGotOnlineRefresh
~~~~~~~~~~~~~~~~~~~~
.. versionadded:: 2.0.15
This hook is triggered when LemonLDAP::NG handles a Refresh Token grant for an
online session
The hook's parameters are:
* the configuration key of the relying party which received the grant
* A hash of session data for the (internal) Refresh Token session
* A hash of the user's session data
Sample code::
use constant hook => {
oidcGotOnlineRefresh => 'logRefresh',
};
sub logRefresh {
my ( $self, $req, $rp, $refreshInfo, $sessionInfo ) = @_;
my $uid = $sessionInfo->{uid};
$self->userLogger->info("OIDC application $rp requested a new access token for $uid");
return PE_OK;
}
oidcGotOfflineRefresh
~~~~~~~~~~~~~~~~~~~~~
.. versionadded:: 2.0.15
This hook is triggered when LemonLDAP::NG handles a Refresh Token grant for an
offline session
The hook's parameters are:
* the configuration key of the relying party which received the grant
* A hash of session data for the (internal) Refresh Token session, which also
contains user attributes
Sample code::
use constant hook => {
oidcGotOfflineRefresh => 'logRefreshOffline',
};
sub logRefreshOffline {
my ( $self, $req, $rp, $refreshInfo ) = @_;
my $uid = $refreshInfo->{uid};
$self->userLogger->info("OIDC application $rp used offline access for $uid");
return PE_OK;
}
SAML Issuer hooks
-----------------

2
doc/sources/admin/idpopenidconnect.rst
View File

@ -340,6 +340,8 @@ Options
- **Logout**
- **Bypass confirm**: Bypass logout confirmation when logout is initiated
by relaying party
- **Allowed redirection addresses for logout**: A space-separated list of
URLs that this client can redirect the user to once the logout is done
(through ``post_logout_redirect_uri``)

1
doc/sources/admin/index_portal.rst
View File

@ -6,6 +6,7 @@ Portal configuration
portal
portalcustom
jqueryevents
portalmenu
portalservers
captcha

42
doc/sources/admin/jqueryevents.rst Normal file
View File

@ -0,0 +1,42 @@
Available JQuery Events
========================
Some portal functions (such as 2FA registration) are performed by Javascript.
We offer a few custom events that let you react to certain high-level Javascript events
Second factor management
------------------------
mfaAdded
~~~~~~~~
.. versionadded:: 2.0.15
This event is triggered when a TOTP, WebAuthn or U2F device is registered
Sample code:
.. code:: javascript
$(document).on( "mfaAdded", { }, function( event, info ) {
console.log( "Added MFA of type" + info.type );
// Your code here
});
mfaDeleted
~~~~~~~~~~~
.. versionadded:: 2.0.15
This event is triggered when a TOTP, WebAuthn or U2F device is removed
Sample code:
.. code:: javascript
$(document).on( "mfaDeleted", { }, function( event, info ) {
console.log( "Removed MFA of type" + info.type );
// Your code here
});

3
doc/sources/admin/mail2f.rst
View File

@ -45,6 +45,9 @@ Mail second factor".
- **Mail body**: The plain text content of the email the user will
receive. If you leave it blank, the ``mail_2fcode`` HTML template
will be used. The one-time code is stored in the ``$code`` variable
- **Re-send interval**: Set this to a non-empty value to allow the user to
re-send the code in case a transmission error occured. The value sets how
many seconds the user has to wait before each attempt
- **Authentication level** (Optional): if you want to overwrite the
value sent by your authentication module, you can define here the new
authentication level. Example: 5

41
doc/sources/admin/nodehandler.rst
View File

@ -12,13 +12,13 @@ Examples
**Important things**:
- The above examples below are written for version 0.6.0 in CommonJS
but Node.js handler can be used in ES7 and/or Typescript code
- Rules and headers must be written in javascript for these hosts
(example ``$uid eq "dwho"`` becomes ``$uid === "dwho"``)
- Multi-lines are not supported in lemonldap-ng.ini
- Virtualhosts handled by node-lemonldap-ng-handler must be explicitly
declared in your ``lemonldap-ng.ini`` file in ``[node-handler]``
section (**NB**: section ``[handler]`` isn't used by node
handler):
section
.. code-block:: ini
@ -40,12 +40,14 @@ FastCGI server
configStorage: {
"confFile": "/path/to/lemonldap-ng.ini"
}
});
}).then( () => {
handler.nginxServer({
"mode": "fcgi", // or "http", default: fcgi
"port": 9090, // default value
"ip": 'localhost' // default value
});
handler.nginxServer({
"mode": "fcgi", // or "http", default: fcgi
"port": 9090, // default value
"ip": 'localhost' // default value
});
Nginx configuration
@ -98,16 +100,17 @@ Use it to protect an express app
configStorage: {
"confFile":"test/lemonldap-ng.ini"
}
});
// and load it
app.use(handler.run);
// Then simply use your express app
app.get('/', function(req, res) {
return res.send('Hello ' + req.headers['Auth-User'] + ' !');
});
app.listen(3000, function() {
return console.log('Example app listening on port 3000!');
}).then( () => {
// and load it
app.use(handler.run);
// Then simply use your express app
app.get('/', function(req, res) {
return res.send('Hello ' + req.headers['Auth-User'] + ' !');
});
app.listen(3000, function() {
return console.log('Example app listening on port 3000!');
});
});

11
doc/sources/admin/notifications.rst
View File

@ -515,3 +515,14 @@ connect with any user, the message will be prompted.
.. |image1| image:: /documentation/portal-notification.png
:class: align-center
JSON response
~~~~~~~~~~~~~
If a notification is pending, JSON response fields are:
- ``result``: ``0``
- ``error``: ``36``
- ``ciphered_id``: a ciphered session id is returned in this field.
This id can be used to forward and continue the notification process if you call the REST ``/notifback`` endpoint
with a LL::NG cookie built with this id.

1
doc/sources/admin/parameterlist.rst
View File

@ -562,6 +562,7 @@ sfEngine Second factor engine
sfExtra Extra second factors ✔
sfManagerRule Rule to display second factor Manager link ✔
sfOnlyUpgrade Only trigger second factor on session upgrade ✔
sfLoginTimeout Timeout for 2F login process ✔
sfRegisterTimeout Timeout for 2F registration process ✔
sfRemovedMsgRule Display a message if at leat one expired SF has been removed ✔
sfRemovedNotifMsg Notification message ✔

16
doc/sources/admin/portalcustom.rst
View File

@ -22,7 +22,7 @@ A blank value disables Main logo display.
- Main logo is included in Portal templates AND mail body
Favicon
~~~~~~~~~~~~~~~~~~~~~
~~~~~~~
You can change the default favicon in Manager: General Parameters >
Portal > Customization > Favicon.
@ -49,6 +49,14 @@ Option enabled by default.
your browser (EN by default).
Scroll to top button
~~~~~~~~~~~~~~~~~~~~
You can display a button to go to back to the top after <value> pixels scrolling.
.. tip::
A blank or null value disable this feature.
Custom CSS file
~~~~~~~~~~~~~~~
@ -212,6 +220,12 @@ To change CSS, two options:
<link href="<TMPL_VAR NAME="STATIC_PREFIX">myskin/css/myskin.css" rel="stylesheet" type="text/css" />
To add custom JS, create a new file in myskin/js/custom.js and load it in customhead.tpl ::
<script type="text/javascript" src="<TMPL_VAR NAME="STATIC_PREFIX"><TMPL_VAR NAME="SKIN">/js/custom.js"></script>
In this file, you can access JQuery functions, and hook your code to :doc:`JQuery events <jqueryevents>`
Put then all custom HTML code in the custom template files.
To configure your new skin in Manager, select the custom skin, and enter

86
doc/sources/admin/renater.rst
View File

@ -45,6 +45,12 @@ and edit configuration:
cp /usr/share/lemonldap-ng/bin/importMetadata /usr/share/lemonldap-ng/bin/importMetadataRenater
vi /usr/share/lemonldap-ng/bin/importMetadataRenater
.. versionchanged:: 2.0.15
Since version 2.0.15 it is no longer necessary to copy the script, you can
use the ``--configfile`` option to handle most customization use cases. See
:ref:`importmetadataconfig` below for details.
Set attributes (use the SAML Name, not FriendlyName) that are provided
by IDPs, for example:
@ -92,26 +98,27 @@ Then run the script:
/usr/share/lemonldap-ng/bin/importMetadataRenater -m https://metadata.federation.renater.fr/renater/main/main-idps-renater-metadata.xml -r -i "idp-renater-" -s "sp-renater-"
The script provide the following options
The script provide the following options
* -i (--idpconfprefix): Prefix used to set IDP configuration key
* -h (--help): print this message
* -m (--metadata): URL of metadata document
* -s (--spconfprefix): Prefix used to set SP configuration key
* --ignore-sp: ignore SP matching this entityID (can be specified multiple times)
* --ignore-idp: ignore IdP matching this entityID (can be specified multiple times)
* -a (--nagios): output statistics in Nagios format
* -n (--dry-run): print statistics but do not apply changes
* -v (--verbose): increase verbosity of output
* -r (--remove): remove provider from LemonLDAP::NG if it does not appear in metadata
* -i (--idpconfprefix): Prefix used to set IDP configuration key
* -h (--help): print this message
* -m (--metadata): URL of metadata document
* -s (--spconfprefix): Prefix used to set SP configuration key
* --ignore-sp: ignore SP matching this entityID (can be specified multiple times)
* --ignore-idp: ignore IdP matching this entityID (can be specified multiple times)
* -a (--nagios): output statistics in Nagios format
* -n (--dry-run): print statistics but do not apply changes
* -c (--configfile): use a configuration file
* -v (--verbose): increase verbosity of output
* -r (--remove): remove provider from LemonLDAP::NG if it does not appear in metadata
Example :
::
/usr/libexec/lemonldap-ng/bin/importMetadata -m https://pub.federation.renater.fr/metadata/renater/main/main-sps-renater-metadata.xml -s "sp-fed-prd" -c https://pub.federation.renater.fr/metadata/certs/renater-metadata-signing-cert-2016.pem -bs https://test-sp.federation.renater.fr -r -v -d
This command will
This command will
* fetch all SPs metadata from renater
* set a prefix to entity stored inside LemonLdap::NG
* disable local modification of SP https://test-sp.federation.renater.fr
@ -135,7 +142,7 @@ The output is the following :
With "-n" options you could get a "nagios like" output with metrics :
::
/usr/libexec/lemonldap-ng/bin/importMetadataFedRenater -m https://pub.federation.renater.fr/metadata/renater/main/main-sps-renater-metadata.xml -s "sp-fed-prd" -c https://pub.federation.renater.fr/metadata/certs/renater-metadata-signing-cert-2016.pem -bs https://test-sp.federation.renater.fr -r -d -n
Metadata loaded inside Conf: [DRY-RUN]|idp_found=0, idp_updated=0, idp_created=0, idp_removed=0, idp_rejected=0, idp_ignored=0, sp_found=1248, sp_updated=1240, sp_created=0, sp_removed=0, sp_rejected=7, sp_ignored=1
@ -145,6 +152,57 @@ With "-n" options you could get a "nagios like" output with metrics :
You need to add this in cron to refresh metadata into
LL::NG configuration.
.. _importmetadataconfig:
Metadata import configuration file
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. versionadded:: 2.0.15
You can now use a configuration file for the script in order to handle most custom cases.
Here is an example of a INI-formatted configuration file::
# main script options, these will be overriden by the CLI options
[main]
dry-run=1
verbose=1
metadata=http://url/to/metadata.xml
; Multi-value options
ignore-idp=entity-id-to-ignore-1
ignore-idp=entity-id-to-ignore-2
# Default exported attributes for IDPs
[exportedAttributes]
cn=0;cn
eduPersonPrincipalName=0;eduPersonPrincipalName
...
# options that apply to all providers
[ALL]
; Disable signature requirement on requests
samlSPMetaDataOptionsCheckSSOMessageSignature=0
samlSPMetaDataOptionsCheckSLOMessageSignature=0
; Store SAML assertions in session
samlIDPMetaDataOptionsStoreSAMLToken=1
; Mark ePPN as always required
attribute_required_eduPersonPrincipalName=1
...
# Specific provider configurations
[https://test-sp.federation.renater.fr]
; All attributes are optional for this provider
attribute_required=0
; Override some options
samlSPMetaDataOptionsNameIDFormat=persistent
[https://idp.renater.fr/idp/shibboleth]
; declare an extra attribute from this provider
exported_attribute_eduPersonAffiliation=1;uid
Add your SP into the federation
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

31
doc/sources/admin/rest2f.rst
View File

@ -12,11 +12,17 @@ All parameters are set in "General Parameters » Portal Parameters »
Second Factors » REST 2nd Factor".
- **Activation**
- **Code regex**: regular expression to create an OTP code. If this option is
set, LemonLDAP::NG will generate the code and send it through the Init URL,
then verify it internally.
- **Init URL** *(optional)*: REST URL to initialize dialog *(send
OTP)*. Leave it blank if your API doesn't need any initialization
- **Init arguments**: list of arguments to send *(see below)*
- **Verify URL** *(required)*: REST URL to verify code
- **Verify arguments**: list of arguments to send *(see below)*
- **Re-send interval**: Set this to a non-empty value to allow the user to
re-send the code in case a transmission error occured. The value sets how
many seconds the user has to wait before each attempt
- **Authentication level** (Optional): if you want to overwrite the
value sent by your authentication module, you can define here the new
authentication level. Example: 5
@ -31,20 +37,31 @@ Arguments are a list of key/value. Key is the name of JSON entry, value
is attribute or macro name.
.. attention::
For Verify URL, you should send ``$code`` at least
REST Dialog
REST Dialog
-----------
REST web services have just to reply with a "result" key in a JSON file.
Auth/UserDB can add an "info" array. It will be stored in session data
(without reading "Exported variables").
If *Code regex* is set
~~~~~~~~~~~~~~~~~~~~~~
========== ================================================ ====================================
URL Query Response
========== ================================================ ====================================
Init URL JSON file: ``{"user":$user,...}`` JSON file: ``{"result":true/false}``
Verify URL JSON file: ``{"user":$user,"code":"$code",...}`` JSON file: ``{"result":true/false}``
Init URL JSON body: ``{"user":$user,"code":"$code",...}`` JSON body: ``{"result":true/false}``
========== ================================================ ====================================
The Verify URL is not called, since the code is checked against the internally saved value
If *Code regex* is not set
~~~~~~~~~~~~~~~~~~~~~~~~~~
========== ================================================ ====================================
URL Query Response
========== ================================================ ====================================
Init URL JSON body: ``{"user":$user,...}`` JSON body: ``{"result":true/false}``
Verify URL JSON body: ``{"user":$user,"code":"$code",...}`` JSON body: ``{"result":true/false}``
========== ================================================ ====================================

5
doc/sources/admin/restservices.rst
View File

@ -49,7 +49,8 @@ The JSON response fields are:
- ``error``: error code, the corresponding error can be found in
:doc:`Portal error codes<error_codes>`
- ``id``: if authentication succeed, the session id is returned in this
field
field. This id is not returned if you call the REST endpoint with the
session cookie (which means you are already authenticated).
.. tip::
@ -62,7 +63,7 @@ The JSON response fields are:
Before version 2.0.4, the response to a success
authentication had no ``id`` field, and ``error`` field was named
``code`` (use Cookie header to get id value).
``code``.
Example
^^^^^^^

11
doc/sources/admin/secondfactor.rst
View File

@ -76,10 +76,19 @@ of doing a complete reauthentication.
.. |beta| image:: /documentation/beta.png
Login timeout
-------------
Allowed time for the user to authenticate using their second factor. By default
it is set to 2 minutes, but some complex second factor types (TOTP, email...)
may require more time to be used.
Registration timeout
--------------------
Allowed time to register a TOTP.
Allowed time for the user to register their new second factor. By default it is
set to 2 minutes, but some complex second factor types (TOTP...) may require
more time to be registered.
Second factor expiration
------------------------

2
doc/sources/admin/security.rst
View File

@ -310,7 +310,7 @@ Go in Manager, ``General parameters`` » ``Advanced parameters`` »
authentication renewal cannot be forced, used to prevent to loose the
current authentication during the main process. If you experience
slow network performances, you can increase this value.
- **Encryption key**: key used to crypt some data, should not be known
- **Encryption key**: key used for crypting some data, should not be known
by other applications
- **Trusted domains**: domains on which the user can be redirected
after login on portal.

2
doc/sources/admin/start.rst
View File

@ -288,7 +288,7 @@ Name Description
:doc:`Context switching<contextswitching>` [7]_\ |new| Switch context other users
:doc:`CrowdSec<crowdsec>` [8]_\ |new| CrowdSec bouncer
:doc:`Custom<plugincustom>` Write a custom plugin
:doc:`Decrypt value<decryptvalue>` [9]_\ |beta| Decrypt ciphered values
:doc:`Decrypt value<decryptvalue>` [9]_\ Decrypt ciphered values
:doc:`Display login history<loginhistory>` Display Success/Fails logins
:doc:`Force Authentication<forcereauthn>` Force authentication to access to Portal
:doc:`Global Logout<globallogout>` [10]_ Suggest to close all opened sessions at logout

20
doc/sources/admin/totp2f.rst
View File

@ -47,8 +47,26 @@ In the manager (advanced parameters), you just have to enable it:
TOTP
- **Issuer name** (Optional): default to portal hostname
- **Interval**: interval for TOTP algorithm (default: 30)
- **Range of attempts**: number of additional intervals to test (default: 1)
.. warning::
Many mobile applications only support the default value
- **Range of attempts**: number of additional intervals to test (default: 1).
Use this settings if your server and phone clocks are not perfectly in sync,
at the cost of weaker security.
.. note::
Range is tested backward and forward to prevent
positive or negative clock drift.
- **Number of digits**: number of digit by codes (default: 6)
.. warning::
Many mobile applications only support the default value
- **Authentication level**: you can overwrite here auth level for TOTP
registered users. Leave it blank keeps auth level provided by first
authentication module *(default: 2 for user/password based modules)*.

75
doc/sources/admin/upgrade_2_0_x.rst
View File

@ -26,6 +26,81 @@ Known regressions in the latest released version
None
2.0.15
------
New Captcha API
~~~~~~~~~~~~~~~
It is now possible to create your own Captcha modules to replace the one provided by default.
In order for custom Captcha modules to work, you need to modify your custom ``standardform.tpl``, ``mail.tpl`` and ``register.tpl`` template files:
.. code:: diff
- <TMPL_IF NAME=CAPTCHA_SRC>
- <TMPL_INCLUDE NAME="captcha.tpl">
+ <TMPL_IF NAME=CAPTCHA_HTML>
+ <TMPL_VAR NAME=CAPTCHA_HTML>
</TMPL_IF>
If you are using the default templates from the ``bootstrap`` theme, you don't need to change anything.
Re-send 2FA code
~~~~~~~~~~~~~~~~
The :doc:`mail <mail2f>`, :doc:`external <external2f>` and :doc:`REST <rest2f>` based 2FA types can now re-send the user code if delivery failed for some reason. If you use custom templates, you must update ``ext2fcheck.tpl``
.. code:: diff
--- a/lemonldap-ng-portal/site/templates/bootstrap/ext2fcheck.tpl
+++ b/lemonldap-ng-portal/site/templates/bootstrap/ext2fcheck.tpl
@@ -26,6 +26,12 @@
</button>
</div>
<div class="buttons">
+ <TMPL_IF "RESENDTARGET">
+ <button type="submit" class="btn btn-primary" formaction="<TMPL_VAR "RESENDTARGET">">
+ <span class="fa fa-repeat"></span>
+ <span trspan="resendCode">Re-send code</span>
+ </button>
+ </TMPL_IF>
<a href="<TMPL_VAR NAME="PORTAL_URL">?cancel=1&skin=<TMPL_VAR NAME="SKIN">" class="btn btn-primary" role="button">
<span class="fa fa-home"></span>
<span trspan="cancel">Cancel</span>
If you are using the default templates from the ``bootstrap`` theme, you don't need to change anything.
Customizing the 2FA logo in the registration screen
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The 2FA registration screen now displays the custom logo and label set in configuration. If you use custom templates, you should update ``2fregisters.tpl``
.. code:: diff
@@ -77,10 +77,16 @@
<div class="card border-secondary">
<div class="card-body py-3">
<a href="<TMPL_VAR NAME="URL">" class="nodecor">
- <img src="<TMPL_VAR NAME="STATIC_PREFIX"><TMPL_VAR NAME="SKIN">/<TMPL_VAR NAME="LOGO">" alt="<TMPL_VAR NAME="CODE">2F" title="<TMPL_VAR NAME="CODE">2F" />
+ <img src="<TMPL_VAR NAME="STATIC_PREFIX"><TMPL_VAR NAME="SKIN">/<TMPL_VAR NAME="LOGO">" alt="<TMPL_VAR NAME="CODE">2f" title="<TMPL_VAR NAME="LABEL">" />
</a>
</div>
- <div class="card-footer text-white text-uppercase bg-secondary"><TMPL_VAR NAME="CODE">2F</div>
+ <div class="card-footer text-white text-uppercase bg-secondary">
+ <TMPL_IF LABEL>
+ <p><TMPL_VAR NAME="LABEL"></p>
+ <TMPL_ELSE>
+ <p trspan="<TMPL_VAR NAME="CODE">2f"></p>
+ </TMPL_IF>
+ </div>
</div>
</div>
</TMPL_LOOP>
If you are using the default templates from the ``bootstrap`` theme, you don't need to change anything.
2.0.14
------

16
doc/sources/admin/useoutgoingproxy.rst
View File

@ -1,13 +1,15 @@
Use an outgoing proxy
=====================
For some protocols, LL::NG has to directly contact the external server.
For some protocols, LemonLDAP::NG has to directly contact the external server.
This is the case for example with CAS authentication (validation of
service ticket) or OpenID Connect authentication (access to token
endpoint and userinfo endpoint).
If the LL::NG server needs a proxy for outgoing connections, then you
need to configure some environment variables.
need to configure some environment variables. By default, only connections
to external systems (CAS, OIDC, etc.) are done through the proxy, while HTTP
connections in between LemonLDAP::NG components are not.
Apache
------
@ -21,6 +23,11 @@ In Apache configuration, set:
# on Centos7, you need LWP::Protocol::connect
# FcgidInitialEnv https_proxy connect://X.X.X.X:X
# Optional: use this to force ALL http connections to go
# through the proxy. This is only useful in some scenarios
# FcgidInitialEnv PERL_LWP_ENV_PROXY 1
# FcgidInitialEnv no_proxy <urls-without-proxy>
Nginx/FastCGI
-------------
@ -33,3 +40,8 @@ add in ``/etc/default/lemonldap-ng-fastcgi-server`` :
# on Centos7, you need LWP::Protocol::connect
# https_proxy=connect://X.X.X.X:X
# Optional: use this to force ALL http connections to go
# through the proxy. This is only useful in some scenarios
# PERL_LWP_ENV_PROXY=1
# no_proxy=<urls-without-proxy>

8
doc/sources/admin/variables.rst
View File

@ -148,15 +148,17 @@ Key Description
OpenID Connect
--------------
============================ ===============================================
============================ ======================================================================
Key Description
============================ ===============================================
============================ ======================================================================
\_oidc_id_token ID Token
\_oidc_OP Configuration key of OP used for authentication
\_oidc_access_token OAuth2 Access Token used to get UserInfo data
\_oidc_access_token_eol Timestamp after which the Access Token should no longer be valid
\_oidc_refresh_token OAuth2 Refresh Token. This should never be transmitted to applications
\_oidc_consent_scope\_\ *rp* Scope for which consent was given for RP *rp*
\_oidc_consent_time\_\ *rp* Time when consent was given for RP *rp*
============================ ===============================================
============================ ======================================================================
Other
-----

2
doc/sources/manager-api/openapi-spec.yaml
View File

@ -1198,6 +1198,8 @@ components:
logoutUrl:
type: string
format: url
logoutBypassConfirm:
type: boolean
clientSecret:
type: string
format: password

1
e2e-tests/lemonldap-ng-ldap.ini
View File

@ -40,6 +40,7 @@ viewerAllowDiff = 1
staticPrefix = /static
instanceName = Demo
;customCSS = css/custom.css
languages = fr, en, vi, ar, it, zh, tr, zh_TW, es
templateDir = __pwd__/lemonldap-ng-manager/site/templates

1
e2e-tests/lemonldap-ng-sql.ini
View File

@ -37,6 +37,7 @@ viewerAllowDiff = 1
staticPrefix = /static
instanceName = Demo
;customCSS = css/custom.css
languages = fr, en, vi, ar, it, zh, tr, zh_TW, es
templateDir = __pwd__/lemonldap-ng-manager/site/templates

1
e2e-tests/lemonldap-ng.ini
View File

@ -48,6 +48,7 @@ viewerAllowBrowser = 1
viewerAllowDiff = 1
staticPrefix = /static
;customCSS = css/custom.css
instanceName = Demo
languages = fr, en, vi, ar, it, zh, tr, zh_TW, es
templateDir = __pwd__/lemonldap-ng-manager/site/templates

1
lemonldap-ng-common/MANIFEST
View File

@ -84,6 +84,7 @@ scripts/lmMigrateConfFiles2ini
scripts/rotateOidcKeys
t/01-Common-Conf.t
t/02-Common-Conf-File.t
t/02-Common-Conf-ServerEnv.t
t/03-Common-Conf-CDBI.t
t/03-Common-Conf-RDBI.t
t/05-Common-Conf-LDAP.t

3
lemonldap-ng-common/META.json
View File

@ -23,8 +23,10 @@
"build" : {
"requires" : {
"IO::String" : "0",
"MIME::Entity" : "0",
"Net::LDAP" : "0",
"String::Random" : "0",
"Test::Output" : "0",
"Test::Pod" : "1"
}
},
@ -61,7 +63,6 @@
"JSON::XS" : "0",
"Mouse" : "0",
"Plack" : "0",
"Test::Pod" : "1",
"URI" : "0"
}
}

3
lemonldap-ng-common/META.yml
View File

@ -4,8 +4,10 @@ author:
- 'Xavier Guimard <x.guimard@free.fr>, Clement Oudot <clement@oodo.net>, Christophe Maudoux <chrmdx@gmail.com>, Maxime Besson <maxime.besson@worteks.com>'
build_requires:
IO::String: '0'
MIME::Entity: '0'
Net::LDAP: '0'
String::Random: '0'
Test::Output: '0'
Test::Pod: '1'
configure_requires:
ExtUtils::MakeMaker: '0'
@ -46,7 +48,6 @@ requires:
JSON::XS: '0'
Mouse: '0'
Plack: '0'
Test::Pod: '1'
URI: '0'
resources:
MailingList: mailto:lemonldap-ng-dev@ow2.org

1
lemonldap-ng-common/Makefile.PL
View File

@ -37,6 +37,7 @@ WriteMakefile(
LICENSE => 'gpl',
BUILD_REQUIRES => {
'IO::String' => 0,
'MIME::Entity' => 0,
'Net::LDAP' => 0,
'String::Random' => 0,
'Test::Pod' => 1.00,

5
lemonldap-ng-common/lemonldap-ng.ini
View File

@ -376,9 +376,12 @@ protection = manager
; staticPrefix: relative (or URL) location of static HTML components
staticPrefix = __MANAGERSTATICDIR__
;
; instanceName: Display current LLNG instance into Manager
;instanceName = Demo
; customCSS: CSS file to customize Manager
;customCSS = css/custom.css
; location of HTML templates directory
templateDir = __MANAGERTEMPLATESDIR__

4
lemonldap-ng-common/lib/Lemonldap/NG/Common/Apache/Session/Store.pm
View File

@ -3,7 +3,7 @@ package Lemonldap::NG::Common::Apache::Session::Store;
use strict;
our $VERSION = '2.0.10';
our $VERSION = '2.0.15';
sub new {
my $class = shift;
@ -56,7 +56,7 @@ sub materialize {
# Get session from cache
my $id = $session->{data}->{_session_id};
if ( $self->cache->get($id) ) {
if ( !$self->{args}->{noCache} and $self->cache->get($id) ) {
$session->{serialized} = $self->cache->get($id);
return;
}

47
lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf.pm
View File

@ -27,10 +27,12 @@ use Config::IniFiles;
#inherits Lemonldap::NG::Common::Conf::Backends::SOAP
#inherits Lemonldap::NG::Common::Conf::Backends::LDAP
our $VERSION = '2.0.14';
our $VERSION = '2.0.15';
our $msg = '';
our $iniObj;
our $PlaceHolderRe = '%SERVERENV:(.*?)%';
BEGIN {
eval {
require threads::shared;
@ -228,9 +230,10 @@ sub getConf {
$res = $r;
}
# Create cipher object
# Create cipher object and replace variable placeholder
unless ( $args->{raw} ) {
$self->replacePlaceholders($res) if $self->{useServerEnv};
eval {
$res->{cipher} = Lemonldap::NG::Common::Crypto->new( $res->{key} );
};
@ -504,6 +507,46 @@ sub logError {
return shift->_launch( 'logError', @_ );
}
sub _substPlaceHolders {
return $_[0] unless $_[0];
$_[0] =~ s/$PlaceHolderRe/$ENV{$1}/geo;
return $_[0];
}
## @method void replacePlaceholders(res: LLNG_Conf)
#
# Recursively replace %SERVERENV:VariableName% by $ENV{VariableName} value
sub replacePlaceholders {
my ( $self, $conf ) = @_;
if ( ref $conf eq 'HASH' ) {
foreach my $key ( keys %$conf ) {
if ( $key =~ /$PlaceHolderRe/o ) {
my $val = $conf->{$key};
delete $conf->{$key};
my $nk = _substPlaceHolders($key);
$conf->{$nk} = $val;
}
next unless ( $conf->{$key} );
if ( ref $conf->{$key} ) {
$self->replacePlaceholders( $conf->{$key} );
}
elsif ( $conf->{$key} =~ /$PlaceHolderRe/o ) {
$conf->{$key} = _substPlaceHolders( $conf->{$key} );
}
}
}
elsif ( ref $conf eq 'ARRAY' ) {
for ( my $i = 0 ; $i < @$conf ; $i++ ) {
if ( ref $conf->[$i] ) {
$self->replacePlaceholders( $conf->[$i] );
}
elsif ( $conf->[$i] =~ /$PlaceHolderRe/o ) {
$conf->[$i] = _substPlaceHolders( $conf->[$i] );
}
}
}
}
1;
__END__

4
lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/Compact.pm
View File

@ -4,12 +4,12 @@ use strict;
use Mouse;
use Lemonldap::NG::Common::Conf::ReConstants;
our $VERSION = '2.0.8';
our $VERSION = '2.0.15';
sub compactConf {
my ( $self, $conf ) = @_;
return $conf unless ( $conf->{'compactConf'} );
return $conf unless $conf->{compactConf};
# Remove unused auth parameters
my %keep;

6
lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/Constants.pm
View File

@ -5,7 +5,7 @@ use strict;
use Exporter 'import';
use base qw(Exporter);
our $VERSION = '2.0.14';
our $VERSION = '2.0.15';
# CONSTANTS
@ -29,9 +29,9 @@ use constant DEFAULTCONFBACKEND => "File";
use constant DEFAULTCONFBACKENDOPTIONS => (
dirName => '/usr/local/lemonldap-ng/data/conf',
);
our $hashParameters = qr/^(?:(?:l(?:o(?:ca(?:lSessionStorageOption|tionRule)|goutService)|dapExportedVar|wp(?:Ssl)?Opt)|(?:(?:d(?:emo|bi)|webID)ExportedVa|exported(?:Heade|Va)|issuerDBGetParamete)r|f(?:indUser(?:Exclud|Search)ingAttribute|acebookExportedVar)|re(?:moteGlobalStorageOption|st2f(?:Verify|Init)Arg|loadUrl)|g(?:r(?:antSessionRule|oup)|lobalStorageOption)|n(?:otificationStorageOption|ginxCustomHandler)|macro)s|o(?:idc(?:S(?:ervice(?:DynamicRegistrationEx(?:portedVar|traClaim)s|MetaDataAuthnContext)|torageOptions)|RPMetaData(?:(?:Option(?:sExtraClaim)?|ExportedVar|ScopeRule|Macro)s|Node)|OPMetaData(?:(?:ExportedVar|Option)s|J(?:SON|WKS)|Node))|penIdExportedVars)|c(?:as(?:A(?:ppMetaData(?:(?:ExportedVar|Option|Macro)s|Node)|ttributes)|S(?:rvMetaData(?:(?:ExportedVar|Option)s|Node)|torageOptions))|(?:ustom(?:Plugins|Add)Param|heckUserHiddenHeader|ombModule)s)|s(?:aml(?:S(?:PMetaData(?:(?:ExportedAttribute|Option|Macro)s|Node|XML)|torageOptions)|IDPMetaData(?:(?:ExportedAttribute|Option)s|Node|XML))|essionDataToRemember|laveExportedVars|fExtra)|a(?:(?:daptativeAuthenticationLevelR|ut(?:hChoiceMod|oSigninR))ules|pplicationList)|p(?:ersistentStorageOptions|o(?:rtalSkinRules|st))|v(?:hostOptions|irtualHost)|S(?:MTPTLSOpts|SLVarIf))$/;
our $hashParameters = qr/^(?:(?:l(?:o(?:ca(?:lSessionStorageOption|tionRule)|goutService)|dapExportedVar|wp(?:Ssl)?Opt)|(?:(?:d(?:emo|bi)|webID)ExportedVa|exported(?:Heade|Va)|issuerDBGetParamete)r|f(?:indUser(?:Exclud|Search)ingAttribute|acebookExportedVar)|re(?:moteGlobalStorageOption|st2f(?:Verify|Init)Arg|loadUrl)|g(?:r(?:antSessionRule|oup)|lobalStorageOption)|n(?:otificationStorageOption|ginxCustomHandler)|macro)s|o(?:idc(?:S(?:ervice(?:DynamicRegistrationEx(?:portedVar|traClaim)s|MetaDataAuthnContext)|torageOptions)|RPMetaData(?:(?:Option(?:sExtraClaim)?|ExportedVar|ScopeRule|Macro)s|Node)|OPMetaData(?:(?:ExportedVar|Option)s|J(?:SON|WKS)|Node))|penIdExportedVars)|c(?:a(?:s(?:A(?:ppMetaData(?:(?:ExportedVar|Option|Macro)s|Node)|ttributes)|S(?:rvMetaData(?:(?:ExportedVar|Option)s|Node)|torageOptions))|ptchaOptions)|(?:ustom(?:Plugins|Add)Param|heckUserHiddenHeader|ombModule)s)|s(?:aml(?:S(?:PMetaData(?:(?:ExportedAttribute|Option|Macro)s|Node|XML)|torageOptions)|IDPMetaData(?:(?:ExportedAttribute|Option)s|Node|XML))|essionDataToRemember|laveExportedVars|fExtra)|a(?:(?:daptativeAuthenticationLevelR|ut(?:hChoiceMod|oSigninR))ules|pplicationList)|p(?:ersistentStorageOptions|o(?:rtalSkinRules|st))|v(?:hostOptions|irtualHost)|S(?:MTPTLSOpts|SLVarIf))$/;
our $arrayParameters = qr/^mySessionAuthorizedRWKeys$/;
our $boolKeys = qr/^(?:s(?:aml(?:IDP(?:MetaDataOptions(?:(?:Check(?:S[LS]OMessageSignatur|Audienc|Tim)|IsPassiv)e|A(?:llow(?:LoginFromIDP|ProxiedAuthn)|daptSessionUtime)|Force(?:Authn|UTF8)|StoreSAMLToken|RelayStateURL)|SSODescriptorWantAuthnRequestsSigned)|S(?:P(?:MetaDataOptions(?:(?:CheckS[LS]OMessageSignatur|OneTimeUs)e|EnableIDPInitiatedURL|ForceUTF8)|SSODescriptor(?:WantAssertion|AuthnRequest)sSigned)|erviceUseCertificateInResponse)|DiscoveryProtocol(?:Activation|IsPassive)|CommonDomainCookieActivation|UseQueryStringSpecific|MetadataForceUTF8)|t(?:ayConnectedBypassFG|orePassword)|f(?:RemovedUseNotif|OnlyUpgrade)|kip(?:Upgrade|Renew)Confirmation|oap(?:Session|Config)Server|laveDisplayLogo|howLanguages|slByAjax)|o(?:idc(?:RPMetaDataOptions(?:A(?:llow(?:(?:ClientCredentials|Password)Grant|Offline)|ccessToken(?:Claims|JWT))|Re(?:freshToken|quirePKCE)|LogoutSessionRequired|IDTokenForceClaims|BypassConsent|Public)|ServiceAllow(?:(?:AuthorizationCode|Implicit|Hybrid)Flow|DynamicRegistration|OnlyDeclaredScopes)|OPMetaDataOptions(?:(?:CheckJWTSignatur|UseNonc)e|StoreIDToken))|ldNotifFormat)|c(?:a(?:sS(?:rvMetaDataOptions(?:Gateway|Renew)|trictMatching)|ptcha_(?:register|login|mail)_enabled)|heck(?:DevOps(?:D(?:isplayNormalizedHeaders|ownload)|CheckSessionAttributes)?|State|User|XSS)|o(?:ntextSwitching(?:Allowed2fModifications|StopWithLogout)|mpactConf|rsEnabled)|rowdsec|da)|p(?:ortal(?:Display(?:Re(?:freshMyRights|setPassword|gister)|CertificateResetByMail|GeneratePassword|PasswordPolicy)|E(?:rrorOn(?:ExpiredSession|MailNotFound)|nablePasswordDisplay)|(?:CheckLogin|Statu)s|OpenLinkInNewWindow|ForceAuthn|AntiFrame)|roxy(?:AuthServiceImpersonation|UseSoap))|l(?:dap(?:(?:G(?:roup(?:DecodeSearchedValu|Recursiv)|etUserBeforePasswordChang)|UsePasswordResetAttribut)e|(?:AllowResetExpired|Set)Password|ChangePasswordAsUser|PpolicyControl|ITDS)|oginHistoryEnabled)|n(?:o(?:tif(?:ication(?:Server(?:(?:POS|GE)T|DELETE)?|sExplorer)?|y(?:Deleted|Other))|AjaxHook)|ewLocationWarning)|re(?:st(?:(?:Password|Session|Config|Auth)Server|ExportSecretKeys)|memberDefaultChecked|freshSessions)|i(?:ssuerDB(?:OpenID(?:Connect)?|SAML|CAS|Get)Activation|mpersonationSkipEmptyValues)|u(?:se(?:RedirectOn(?:Forbidden|Error)|SafeJail)|2fUserCanRemoveKey|pgradeSession)|br(?:uteForceProtection(?:IncrementalTempo)?|owsersDontStorePassword)|d(?:is(?:ablePersistentStorage|playSessionId)|biDynamicHashEnabled)|to(?:tp2f(?:UserCanRemoveKey|EncryptSecret)|kenUseGlobalStorage)|(?:mai(?:lOnPasswordChang|ntenanc)|vhostMaintenanc)e|w(?:ebauthn2fUserCanRemoveKey|sdlServer)|g(?:roupsBeforeMacros|lobalLogoutTimer)|a(?:voidAssignment|ctiveTimer)|h(?:ideOldPassword|ttpOnly)|yubikey2fUserCanRemoveKey|krb(?:RemoveDomain|ByJs)|findUser)$/;
our $boolKeys = qr/^(?:s(?:aml(?:IDP(?:MetaDataOptions(?:(?:Check(?:S[LS]OMessageSignatur|Audienc|Tim)|IsPassiv)e|A(?:llow(?:LoginFromIDP|ProxiedAuthn)|daptSessionUtime)|Force(?:Authn|UTF8)|StoreSAMLToken|RelayStateURL)|SSODescriptorWantAuthnRequestsSigned)|S(?:P(?:MetaDataOptions(?:(?:CheckS[LS]OMessageSignatur|OneTimeUs)e|EnableIDPInitiatedURL|ForceUTF8)|SSODescriptor(?:WantAssertion|AuthnRequest)sSigned)|erviceUseCertificateInResponse)|DiscoveryProtocol(?:Activation|IsPassive)|CommonDomainCookieActivation|UseQueryStringSpecific|MetadataForceUTF8)|t(?:ayConnectedBypassFG|orePassword)|f(?:RemovedUseNotif|OnlyUpgrade)|kip(?:Upgrade|Renew)Confirmation|oap(?:Session|Config)Server|laveDisplayLogo|howLanguages|slByAjax)|o(?:idc(?:RPMetaDataOptions(?:A(?:llow(?:(?:ClientCredentials|Password)Grant|Offline)|ccessToken(?:Claims|JWT))|Logout(?:SessionRequired|BypassConfirm)|Re(?:freshToken|quirePKCE)|IDTokenForceClaims|BypassConsent|Public)|ServiceAllow(?:(?:AuthorizationCode|Implicit|Hybrid)Flow|DynamicRegistration|OnlyDeclaredScopes)|OPMetaDataOptions(?:(?:CheckJWTSignatur|UseNonc)e|StoreIDToken))|ldNotifFormat)|c(?:a(?:sS(?:rvMetaDataOptions(?:Gateway|Renew)|trictMatching)|ptcha_(?:register|login|mail)_enabled)|heck(?:DevOps(?:D(?:isplayNormalizedHeaders|ownload)|CheckSessionAttributes)?|State|User|XSS)|o(?:ntextSwitching(?:Allowed2fModifications|StopWithLogout)|mpactConf|rsEnabled)|rowdsec|da)|p(?:ortal(?:Display(?:Re(?:freshMyRights|setPassword|gister)|CertificateResetByMail|GeneratePassword|PasswordPolicy)|E(?:rrorOn(?:ExpiredSession|MailNotFound)|nablePasswordDisplay)|(?:CheckLogin|Statu)s|OpenLinkInNewWindow|ForceAuthn|AntiFrame)|roxy(?:AuthServiceImpersonation|UseSoap))|l(?:dap(?:(?:G(?:roup(?:DecodeSearchedValu|Recursiv)|etUserBeforePasswordChang)|UsePasswordResetAttribut)e|(?:AllowResetExpired|Set)Password|ChangePasswordAsUser|PpolicyControl|ITDS)|oginHistoryEnabled)|n(?:o(?:tif(?:ication(?:Server(?:(?:POS|GE)T|DELETE)?|sExplorer)?|y(?:Deleted|Other))|AjaxHook)|ewLocationWarning)|re(?:st(?:(?:Password|Session|Config|Auth)Server|ExportSecretKeys)|memberDefaultChecked|freshSessions)|i(?:ssuerDB(?:OpenID(?:Connect)?|SAML|CAS|Get)Activation|mpersonationSkipEmptyValues)|u(?:se(?:RedirectOn(?:Forbidden|Error)|SafeJail)|2fUserCanRemoveKey|pgradeSession)|br(?:uteForceProtection(?:IncrementalTempo)?|owsersDontStorePassword)|d(?:is(?:ablePersistentStorage|playSessionId)|biDynamicHashEnabled)|to(?:tp2f(?:UserCanRemoveKey|EncryptSecret)|kenUseGlobalStorage)|(?:mai(?:lOnPasswordChang|ntenanc)|vhostMaintenanc)e|w(?:ebauthn2fUserCanRemoveKey|sdlServer)|g(?:roupsBeforeMacros|lobalLogoutTimer)|a(?:voidAssignment|ctiveTimer)|h(?:ideOldPassword|ttpOnly)|yubikey2fUserCanRemoveKey|krb(?:RemoveDomain|ByJs)|findUser)$/;
our @sessionTypes = ( 'remoteGlobal', 'global', 'localSession', 'persistent', 'saml', 'oidc', 'cas' );

3
lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/DefaultValues.pm
View File

@ -1,7 +1,7 @@
# This file is generated by Lemonldap::NG::Manager::Build. Don't modify it by hand
package Lemonldap::NG::Common::Conf::DefaultValues;
our $VERSION = '2.0.14';
our $VERSION = '2.0.15';
sub defaultValues {
return {
@ -327,6 +327,7 @@ sub defaultValues {
'samlSPSSODescriptorSingleLogoutServiceHTTPRedirect' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn',
'samlSPSSODescriptorSingleLogoutServiceSOAP' => 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/proxySingleLogoutSOAP;',
'samlSPSSODescriptorWantAssertionsSigned' => 1,
'scrollTop' => 400,
'securedCookie' => 0,
'sfEngine' => '::2F::Engines::Default',
'sfManagerRule' => 1,

10
lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/ReConstants.pm
View File

@ -5,7 +5,7 @@ use strict;
use Exporter 'import';
use base qw(Exporter);
our $VERSION = '2.0.14';
our $VERSION = '2.0.15';
our %EXPORT_TAGS = ( 'all' => [qw($simpleHashKeys $doubleHashKeys $specialNodeKeys $casAppMetaDataNodeKeys $casSrvMetaDataNodeKeys $oidcOPMetaDataNodeKeys $oidcRPMetaDataNodeKeys $samlIDPMetaDataNodeKeys $samlSPMetaDataNodeKeys $virtualHostKeys $specialNodeHash $authParameters $issuerParameters $samlServiceParameters $oidcServiceParameters $casServiceParameters)] );
our @EXPORT_OK = ( @{ $EXPORT_TAGS{'all'} } );
@ -22,12 +22,12 @@ our $specialNodeHash = {
};
our $doubleHashKeys = 'issuerDBGetParameters';
our $simpleHashKeys = '(?:(?:c(?:as(?:StorageOption|Attribute)|ustom(?:Plugins|Add)Param|heckUserHiddenHeader|ombModule)|l(?:o(?:calSessionStorageOption|goutService)|dapExportedVar|wp(?:Ssl)?Opt)|f(?:indUser(?:Exclud|Search)ingAttribute|acebookExportedVar)|re(?:moteGlobalStorageOption|st2f(?:Verify|Init)Arg|loadUrl)|g(?:r(?:antSessionRule|oup)|lobalStorageOption)|n(?:otificationStorageOption|ginxCustomHandler)|p(?:ersistentStorageOption|ortalSkinRule)|(?:(?:d(?:emo|bi)|webID)E|e)xportedVar|macro)s|o(?:idc(?:S(?:ervice(?:DynamicRegistrationEx(?:portedVar|traClaim)s|MetaDataAuthnContext)|torageOptions)|OPMetaDataJ(?:SON|WKS))|penIdExportedVars)|a(?:(?:daptativeAuthenticationLevelR|ut(?:hChoiceMod|oSigninR))ules|pplicationList)|s(?:(?:amlStorageOption|laveExportedVar)s|essionDataToRemember|fExtra)|S(?:MTPTLSOpts|SLVarIf))';
our $simpleHashKeys = '(?:(?:c(?:a(?:s(?:StorageOption|Attribute)|ptchaOption)|ustom(?:Plugins|Add)Param|heckUserHiddenHeader|ombModule)|l(?:o(?:calSessionStorageOption|goutService)|dapExportedVar|wp(?:Ssl)?Opt)|f(?:indUser(?:Exclud|Search)ingAttribute|acebookExportedVar)|re(?:moteGlobalStorageOption|st2f(?:Verify|Init)Arg|loadUrl)|g(?:r(?:antSessionRule|oup)|lobalStorageOption)|n(?:otificationStorageOption|ginxCustomHandler)|p(?:ersistentStorageOption|ortalSkinRule)|(?:(?:d(?:emo|bi)|webID)E|e)xportedVar|macro)s|o(?:idc(?:S(?:ervice(?:DynamicRegistrationEx(?:portedVar|traClaim)s|MetaDataAuthnContext)|torageOptions)|OPMetaDataJ(?:SON|WKS))|penIdExportedVars)|a(?:(?:daptativeAuthenticationLevelR|ut(?:hChoiceMod|oSigninR))ules|pplicationList)|s(?:(?:amlStorageOption|laveExportedVar)s|essionDataToRemember|fExtra)|S(?:MTPTLSOpts|SLVarIf))';
our $specialNodeKeys = '(?:(?:(?:saml(?:ID|S)|oidc[OR])P|cas(?:App|Srv))MetaDataNode|virtualHost)s';
our $casAppMetaDataNodeKeys = 'casAppMetaData(?:Options(?:(?:UserAttribut|Servic|Rul)e|AuthnLevel)|(?:ExportedVar|Macro)s)';
our $casSrvMetaDataNodeKeys = 'casSrvMetaData(?:Options(?:ProxiedServices|DisplayName|SortNumber|Gateway|Renew|Icon|Url)|ExportedVars)';
our $oidcOPMetaDataNodeKeys = 'oidcOPMetaData(?:Options(?:C(?:lient(?:Secret|ID)|heckJWTSignature|onfigurationURI)|S(?:toreIDToken|ortNumber|cope)|TokenEndpointAuthMethod|(?:JWKSTimeou|Promp)t|I(?:DTokenMaxAge|con)|U(?:iLocales|seNonce)|Display(?:Name)?|AcrValues|MaxAge)|ExportedVars|J(?:SON|WKS))';
our $oidcRPMetaDataNodeKeys = 'oidcRPMetaData(?:Options(?:A(?:llow(?:(?:ClientCredentials|Password)Grant|Offline)|ccessToken(?:Expiration|SignAlg|Claims|JWT)|uth(?:orizationCodeExpiration|nLevel)|dditionalAudiences)|I(?:DToken(?:ForceClaims|Expiration|SignAlg)|con)|R(?:e(?:directUris|freshToken|quirePKCE)|ule)|Logout(?:SessionRequired|Type|Url)|P(?:ostLogoutRedirectUris|ublic)|UserI(?:nfoSignAlg|DAttr)|OfflineSessionExpiration|Client(?:Secret|ID)|BypassConsent|DisplayName|ExtraClaims)|(?:ExportedVar|ScopeRule|Macro)s)';
our $casSrvMetaDataNodeKeys = 'casSrvMetaData(?:Options(?:Re(?:solutionRule|new)|ProxiedServices|DisplayName|SortNumber|Gateway|Icon|Url)|ExportedVars)';
our $oidcOPMetaDataNodeKeys = 'oidcOPMetaData(?:Options(?:C(?:lient(?:Secret|ID)|heckJWTSignature|onfigurationURI)|S(?:toreIDToken|ortNumber|cope)|(?:ResolutionRul|MaxAg)e|TokenEndpointAuthMethod|(?:JWKSTimeou|Promp)t|I(?:DTokenMaxAge|con)|U(?:iLocales|seNonce)|Display(?:Name)?|AcrValues)|ExportedVars|J(?:SON|WKS))';
our $oidcRPMetaDataNodeKeys = 'oidcRPMetaData(?:Options(?:A(?:llow(?:(?:ClientCredentials|Password)Grant|Offline)|ccessToken(?:Expiration|SignAlg|Claims|JWT)|uth(?:orizationCodeExpiration|nLevel)|dditionalAudiences)|I(?:DToken(?:ForceClaims|Expiration|SignAlg)|con)|Logout(?:SessionRequired|BypassConfirm|Type|Url)|R(?:e(?:directUris|freshToken|quirePKCE)|ule)|P(?:ostLogoutRedirectUris|ublic)|UserI(?:nfoSignAlg|DAttr)|OfflineSessionExpiration|Client(?:Secret|ID)|BypassConsent|DisplayName|ExtraClaims)|(?:ExportedVar|ScopeRule|Macro)s)';
our $samlIDPMetaDataNodeKeys = 'samlIDPMetaData(?:Options(?:(?:Check(?:S[LS]OMessageSignatur|Audienc|Tim)|EncryptionMod|UserAttribut|DisplayNam)e|S(?:ign(?:S[LS]OMessage|atureMethod)|toreSAMLToken|[LS]OBinding|ortNumber)|A(?:llow(?:LoginFromIDP|ProxiedAuthn)|daptSessionUtime)|Re(?:questedAuthnContext|solutionRule|layStateURL)|Force(?:Authn|UTF8)|I(?:sPassive|con)|NameIDFormat)|ExportedAttributes|XML)';
our $samlSPMetaDataNodeKeys = 'samlSPMetaData(?:Options(?:S(?:ign(?:S[LS]OMessage|atureMethod)|essionNotOnOrAfterTimeout)|N(?:ameID(?:SessionKey|Format)|otOnOrAfterTimeout)|(?:CheckS[LS]OMessageSignatur|OneTimeUs|Rul)e|En(?:ableIDPInitiatedURL|cryptionMode)|AuthnLevel|ForceUTF8)|(?:ExportedAttribute|Macro)s|XML)';
our $virtualHostKeys = '(?:vhost(?:A(?:ccessToTrace|uthnLevel|liases)|(?:Maintenanc|Typ)e|ServiceTokenTTL|DevOpsRulesUrl|Https|Port)|(?:exportedHeader|locationRule)s|post)';

17
lemonldap-ng-common/lib/Lemonldap/NG/Common/Logger/Dispatch.pm
View File

@ -2,19 +2,18 @@ package Lemonldap::NG::Common::Logger::Dispatch;
use strict;
our $VERSION = '2.0.14';
our $VERSION = '2.0.15';
sub new {
no warnings 'redefine';
my $self = bless {}, shift;
my ( $conf, %args ) = @_;
my %bck;
my $last;
my $show = 1;
my ( %bck, $last );
my $root = $args{user} ? 'userLogDispatch' : 'logDispatch';
unless ( $conf->{ $root . 'Error' } ) {
die "At least, ${root}Error must be defined in conf";
}
my $show = 1;
die "At least, ${root}Error must be defined in conf"
unless ( $conf->{ $root . 'Error' } );
foreach my $l (qw(error warn notice info debug)) {
if ($show) {
$last = $conf->{ $root . ucfirst($l) } || $last;
@ -33,9 +32,9 @@ sub new {
eval qq'sub $l {1}';
}
$show = 0 if ( $conf->{logLevel} eq $l );
}
die "Unknown logLevel $conf->{logLevel}" if ($show);
die "Unknown logLevel $conf->{logLevel}" if $show;
return $self;
}

6
lemonldap-ng-common/lib/Lemonldap/NG/Common/Logger/Sentry.pm
View File

@ -10,13 +10,14 @@ package Lemonldap::NG::Common::Logger::Sentry;
use strict;
use Sentry::Raven;
our $VERSION = '2.0.14';
our $VERSION = '2.0.15';
sub new {
my $self = bless {}, shift;
my ($conf) = @_;
my $show = 1;
$self->{raven} = Sentry::Raven->new( sentry_dsn => $conf->{sentryDsn} );
foreach (qw(error warn notice info debug)) {
my $rl = $_;
$rl = 'warning' if ( $rl = 'warn' );
@ -31,7 +32,8 @@ qq'sub $_ {\$_[0]->{raven}->capture_message(\$_[1],level => "$rl")}';
}
$show = 0 if ( $conf->{logLevel} eq $_ );
}
die "Unknown logLevel $conf->{logLevel}" if ($show);
die "Unknown logLevel $conf->{logLevel}" if $show;
return $self;
}

6
lemonldap-ng-common/lib/Lemonldap/NG/Common/Logger/Std.pm
View File

@ -2,12 +2,13 @@ package Lemonldap::NG::Common::Logger::Std;
use strict;
our $VERSION = '2.0.14';
our $VERSION = '2.0.15';
sub new {
no warnings 'redefine';
my $level = $_[1]->{logLevel} || 'info';
my $show = 1;
foreach (qw(error warn notice info debug)) {
if ($show) {
eval
@ -18,7 +19,8 @@ qq'sub $_ {print STDERR "[".localtime."] [LLNG:\$\$] [$_] \$_[1]\n"}';
}
$show = 0 if ( $level eq $_ );
}
die "Unknown logLevel $level" if ($show);
die "Unknown logLevel $level" if $show;
return bless {}, shift;
}

6
lemonldap-ng-common/lib/Lemonldap/NG/Common/Logger/Syslog.pm
View File

@ -3,7 +3,7 @@ package Lemonldap::NG::Common::Logger::Syslog;
use strict;
use Sys::Syslog qw(:standard);
our $VERSION = '2.0.14';
our $VERSION = '2.0.15';
sub new {
my ( $class, $conf, %args ) = @_;
@ -20,6 +20,7 @@ sub new {
eval { openlog( 'LLNG', $self->{options}, $self->{facility} ) };
no warnings 'redefine';
my $show = 1;
foreach (qw(error warn notice info debug)) {
if ($show) {
my $name = $_;
@ -34,7 +35,8 @@ sub new {
}
$show = 0 if ( $level eq $_ );
}
die "Unknown logLevel $level" if ($show);
die "Unknown logLevel $level" if $show;
return $self;
}

4
lemonldap-ng-common/lib/Lemonldap/NG/Common/PSGI.pm
View File

@ -6,7 +6,7 @@ use JSON;
use Lemonldap::NG::Common::PSGI::Constants;
use Lemonldap::NG::Common::PSGI::Request;
our $VERSION = '2.0.10';
our $VERSION = '2.0.15';
our $_json = JSON->new->allow_nonref;
@ -18,6 +18,7 @@ has logLevel => ( is => 'rw', isa => 'Str', default => 'info' );
has portal => ( is => 'rw', isa => 'Str' );
has staticPrefix => ( is => 'rw', isa => 'Str' );
has instanceName => ( is => 'rw', isa => 'Str', default => '' );
has customCSS => ( is => 'rw', isa => 'Str', default => '' );
has templateDir => ( is => 'rw', isa => 'Str|ArrayRef' );
has links => ( is => 'rw', isa => 'ArrayRef' );
has menuLinks => ( is => 'rw', isa => 'ArrayRef' );
@ -308,6 +309,7 @@ sub sendHtml {
$htpl->param(
STATIC_PREFIX => $sp,
INSTANCE_NAME => $self->instanceName,
CUSTOM_CSS => $self->customCSS,
SCRIPTNAME => $sc,
( $self->can('tplParams') ? ( $self->tplParams($req) ) : () ),
(

6
lemonldap-ng-common/lib/Lemonldap/NG/Common/PSGI/Request.pm
View File

@ -6,7 +6,7 @@ use JSON;
use Plack::Request;
use URI::Escape;
our $VERSION = '2.0.10';
our $VERSION = '2.0.15';
our @ISA = ('Plack::Request');
@ -38,9 +38,9 @@ sub new {
return bless( $self, $_[0] );
}
sub data { $_[0]->{data} }
sub data { return $_[0]->{data} }
sub uri { $_[0]->{uri} }
sub uri { return $_[0]->{uri} }
sub userData {
my ( $self, $v ) = @_;

35
lemonldap-ng-common/lib/Lemonldap/NG/Common/Safelib.pm
View File

@ -12,13 +12,13 @@ use Lemonldap::NG::Common::IPv6;
use JSON::XS;
use Date::Parse;
our $VERSION = '2.0.12';
our $VERSION = '2.0.15';
# Set here all the names of functions that must be available in Safe objects.
# Not that only functions, not methods, can be written here
# Note that only functions, not methods, can be written here
our $functions =
[
qw(&checkLogonHours &date &dateToTime &checkDate &basic &unicode2iso &iso2unicode &groupMatch &isInNet6 &varIsInUri &has2f_internal)
qw(&checkLogonHours &date &dateToTime &checkDate &basic &unicode2iso &unicode2isoSafe &iso2unicode &iso2unicodeSafe &groupMatch &isInNet6 &varIsInUri &has2f_internal)
];
## @function boolean checkLogonHours(string logon_hours, string syntax, string time_correction, boolean default_access)
@ -202,6 +202,21 @@ sub unicode2iso {
return encode( "iso-8859-1", decode( "utf-8", $string ) );
}
## @function string unicode2isoSafe(string string)
## This function is compliant with the Safe jail
## but not as portable as the original one
# Convert UTF-8 in ISO-8859-1
# @param string UTF-8 string
# @return ISO string
sub unicode2isoSafe {
my ($string) = @_;
my $res = $string;
utf8::decode($res);
utf8::downgrade($res);
return $res;
}
## @function string iso2unicode(string string)
# Convert ISO-8859-1 in UTF-8
# @param string ISO string
@ -212,6 +227,20 @@ sub iso2unicode {
return encode( "utf-8", decode( "iso-8859-1", $string ) );
}
## @function string iso2unicodeSafe(string string)
## This function is compliant with the Safe jail
## but not as portable as the original one
# Convert ISO-8859-1 in UTF-8
# @param string ISO string
# @return UTF-8 string
sub iso2unicodeSafe {
my ($string) = @_;
my $res = $string;
utf8::encode($res);
return $res;
}
## @function int groupMatch(hashref groups, string attribute, string value)
# Check in hGroups structure if a group attribute contains a value
# @param groups The $hGroups variable

5
lemonldap-ng-common/lib/Lemonldap/NG/Common/Session.pm
View File

@ -9,7 +9,7 @@ package Lemonldap::NG::Common::Session;
use strict;
use Lemonldap::NG::Common::Apache::Session;
our $VERSION = '2.0.10';
our $VERSION = '2.0.15';
# Workaround for another ModPerl/Mouse issue...
BEGIN {
@ -213,7 +213,8 @@ sub update {
return 0;
}
my $data = $self->_tie_session($tieOptions);
my $data = $self->_tie_session(
{ ( $tieOptions ? %$tieOptions : () ), noCache => 1 } );
if ($data) {
foreach ( keys %$infos ) {

1064
lemonldap-ng-common/scripts/importMetadata
View File

File diff suppressed because it is too large Load Diff

77
lemonldap-ng-common/t/02-Common-Conf-ServerEnv.t Normal file
View File

@ -0,0 +1,77 @@
use strict;
use Test::More tests => 14;
use Data::Dumper;
BEGIN { use_ok('Lemonldap::NG::Common::Conf') }
my $h;
ok(
$h = new Lemonldap::NG::Common::Conf( {
type => 'File',
dirName => "t/",
}
),
'type => file',
);
my $conf = {
cfgNum => 1,
test => '%SERVERENV:A%',
test2 => '%SERVERENV:B% %SERVERENV:C%',
'%SERVERENV:MYKEY%' => {
test => 'Test: %SERVERENV:A%',
array => [ 'a', '%SERVERENV:B% %SERVERENV:C%', ],
},
};
$ENV{A} = 'Aa';
$ENV{B} = 'Bb';
$ENV{C} = 'Cc';
$ENV{MYKEY} = 'MyKey';
ok( $h->store($conf) == 1, "Conf is stored" )
or print STDERR "$Lemonldap::NG::Common::Conf::msg $!";
my $cfg;
ok( $cfg = $h->getConf( { cfgNum => 1 } ), "Conf can be read" )
or print STDERR $Lemonldap::NG::Common::Conf::msg;
ok( $cfg->{test} eq '%SERVERENV:A%',
'%SERVERENV:A% is not substitued into Aa without useServerEnv' )
or print STDERR "Expect $cfg->{test} eq %SERVERENV:A%\n";
unlink 't/lmConf-1.json';
ok(
$h = new Lemonldap::NG::Common::Conf( {
type => 'File',
dirName => "t/",
useServerEnv => 1,
}
),
'type => file',
);
ok( $h->store($conf) == 1, "Conf is stored" )
or print STDERR "$Lemonldap::NG::Common::Conf::msg $!";
ok( $cfg = $h->getConf( { cfgNum => 1 } ), "Conf can be read" )
or print STDERR $Lemonldap::NG::Common::Conf::msg;
ok( $cfg->{test} eq 'Aa', '%SERVERENV:A% is substitued into Aa' )
or print STDERR "Expect $cfg->{test} eq Aa\n";
ok( $cfg->{test2} eq 'Bb Cc',
'%SERVERENV:B% %SERVERENV:C% is substitued into Bb Cc' )
or print STDERR "Expect $cfg->{test} eq Aa\n";
ok( ( !$cfg->{'%SERVERENV:MYKEY%'} and $cfg->{MyKey} ),
'Keyname is transformed' );
ok( (
$cfg->{MyKey}->{array}->[0] eq 'a'
and $cfg->{MyKey}->{array}->[1] eq 'Bb Cc'
),
'Values are substitued into arrays'
);
ok( $cfg = $h->getConf( { cfgNum => 1, raw => 1 } ), 'Get raw conf' );
ok( $cfg->{test} eq '%SERVERENV:A%',
'%SERVERENV:A% is not substitued into Aa in raw mode' )
or print STDERR "Expect $cfg->{test} eq %SERVERENV:A%\n";
unlink 't/lmConf-1.json';

239
lemonldap-ng-common/t/45-importMetadata-config.t Normal file
View File

@ -0,0 +1,239 @@
#!/usr/bin/perl
use Test::More;
use strict;
use warnings;
use Storable qw/dclone/;
require_ok('./scripts/importMetadata');
my $xml;
{
local $/ = undef; # Slurp mode
open XML, "t/data/preview-all-test-metadata.xml" or die;
$xml = <XML>;
close XML;
}
subtest 'Ignore SP' => sub {
my $lmConf = {};
my $importConf = {
main => {
'ignore-sp' => [
"https://ucopia.univ-brest.fr/",
"http://icampus-test.univ-paris3.fr"
]
}
};
# Run import
my ( $spCounters, $idpCounters ) =
transform_config( $importConf, $lmConf, $xml );
is( $spCounters->{created}, 45 );
is( $spCounters->{ignored}, 2 );
is( $idpCounters->{created}, 12 );
is( $idpCounters->{ignored}, 0 );
};
subtest 'Ignore IDP' => sub {
my $lmConf = {};
my $importConf = {
main => {
'ignore-idp' => [
"https://serveur.uvs.sn/idp/shibboleth",
"https://idp-test.insa-rennes.fr/idp/shibboleth"
]
}
};
# Run import
my ( $spCounters, $idpCounters ) =
transform_config( $importConf, $lmConf, $xml );
is( $spCounters->{created}, 47 );
is( $spCounters->{ignored}, 0 );
is( $idpCounters->{created}, 10 );
is( $idpCounters->{ignored}, 2 );
};
subtest 'Conf Prefix' => sub {
my $lmConf = {};
my $importConf = {
main => {
'idpconfprefix' => 'renater-idp',
'spconfprefix' => 'renater-sp',
}
};
# Run import
transform_config( $importConf, $lmConf, $xml );
is( scalar grep( /^renater-sp/, keys( %{ $lmConf->{samlSPMetaDataXML} } ) ),
47 );
is(
scalar
grep( /^renater-idp/, keys( %{ $lmConf->{samlIDPMetaDataXML} } ) ),
12
);
};
# Make sure matching providers who are not in the metadata are removed
# but non-matching providers are left alone
subtest 'Remove' => sub {
my $lmConf = {
samlSPMetaDataXML => {
'sp-toremove' => { samlSPMetaDataXML => "removeme" },
'tokeep' => { samlSPMetaDataXML => "keepme" },
},
samlSPMetaDataExportedAttributes => {
'sp-toremove' => {},
'tokeep' => {},
},
samlSPMetaDataOptions => {
'sp-toremove' => {},
'tokeep' => {},
},
samlIDPMetaDataXML => {
'idp-toremove' => { samlSPMetaDataXML => "removeme" },
'tokeep' => { samlSPMetaDataXML => "keepme" },
},
samlIDPMetaDataExportedAttributes => {
'idp-toremove' => {},
'tokeep' => {},
},
samlIDPMetaDataOptions => {
'idp-toremove' => {},
'tokeep' => {},
},
};
my $importConf = {
main => {
'remove' => 1,
}
};
# Run import
transform_config( $importConf, $lmConf, $xml );
ok( !$lmConf->{samlSPMetaDataOptions}->{'sp-toremove'} );
ok( $lmConf->{samlSPMetaDataOptions}->{'tokeep'} );
ok( !$lmConf->{samlSPMetaDataExportedAttributes}->{'sp-toremove'} );
ok( $lmConf->{samlSPMetaDataExportedAttributes}->{'tokeep'} );
ok( !$lmConf->{samlSPMetaDataXML}->{'sp-toremove'} );
ok( $lmConf->{samlSPMetaDataXML}->{'tokeep'} );
ok( !$lmConf->{samlIDPMetaDataOptions}->{'idp-toremove'} );
ok( $lmConf->{samlIDPMetaDataOptions}->{'tokeep'} );
ok( !$lmConf->{samlIDPMetaDataExportedAttributes}->{'idp-toremove'} );
ok( $lmConf->{samlIDPMetaDataExportedAttributes}->{'tokeep'} );
ok( !$lmConf->{samlIDPMetaDataXML}->{'idp-toremove'} );
ok( $lmConf->{samlIDPMetaDataXML}->{'tokeep'} );
};
subtest 'IDP Exported attributes' => sub {
my $lmConf = {};
my $importConf = {
exportedAttributes => {
cn => '0;cn',
eduPersonPrincipalName => '1;eduPersonPrincipalName',
},
'https://univ-machineDebian.fr/idp/shibboleth' => {
exported_attribute_uid => '0;uid',
}
};
# Run import
transform_config( $importConf, $lmConf, $xml );
is_deeply(
$lmConf->{samlIDPMetaDataExportedAttributes}
->{'idp-idp-test-insa-rennes-fr-idp-shibboleth'},
{
cn => '0;cn',
eduPersonPrincipalName => '1;eduPersonPrincipalName',
}
);
is_deeply(
$lmConf->{samlIDPMetaDataExportedAttributes}
->{'idp-univ-machineDebian-fr-idp-shibboleth'},
{
cn => '0;cn',
eduPersonPrincipalName => '1;eduPersonPrincipalName',
uid => '0;uid',
}
);
};
subtest 'SP Exported attributes' => sub {
my $lmConf = {};
my $importConf = {
ALL => {
attribute_required => 0,
},
'https://ucopia.univ-brest.fr/' => {
attribute_required => 1,
attribute_required_uid => 0,
}
};
# Run import
transform_config( $importConf, $lmConf, $xml );
like(
$lmConf->{samlSPMetaDataExportedAttributes}
->{'sp-umr5557-kaa-univ-lyon1-fr-sp'}->{mail},
qr/^0/,
);
like(
$lmConf->{samlSPMetaDataExportedAttributes}
->{'sp-ucopia-univ-brest-fr'}->{mail},
qr/^1/,
);
like(
$lmConf->{samlSPMetaDataExportedAttributes}
->{'sp-ucopia-univ-brest-fr'}->{uid},
qr/^0/
);
};
subtest 'Options' => sub {
my $lmConf = {};
my $importConf = {
ALL => {
samlSPMetaDataOptionsCheckSSOMessageSignature => 0,
samlIDPMetaDataOptionsStoreSAMLToken => 1,
},
'https://ucopia.univ-brest.fr/' => {
samlSPMetaDataOptionsCheckSSOMessageSignature => 1
},
'https://univ-machineDebian.fr/idp/shibboleth' => {
samlIDPMetaDataOptionsForceAuthn => 1,
},
};
# Run import
transform_config( $importConf, $lmConf, $xml );
is(
$lmConf->{samlSPMetaDataOptions}->{'sp-ucopia-univ-brest-fr'}
->{samlSPMetaDataOptionsCheckSSOMessageSignature},
1
);
is(
$lmConf->{samlSPMetaDataOptions}->{'sp-wiki-uness-fr'}
->{samlSPMetaDataOptionsCheckSSOMessageSignature},
0
);
is(
$lmConf->{samlIDPMetaDataOptions}
->{'idp-shibboleth-2022-grenoble-archi-fr-idp'}
->{samlIDPMetaDataOptionsStoreSAMLToken},
1
);
is(
$lmConf->{samlIDPMetaDataOptions}
->{'idp-shibboleth-2022-grenoble-archi-fr-idp'}
->{samlIDPMetaDataOptionsForceAuthn},
0
);
is(
$lmConf->{samlIDPMetaDataOptions}
->{'idp-univ-machineDebian-fr-idp-shibboleth'}
->{samlIDPMetaDataOptionsForceAuthn},
1
);
};
done_testing();

163
lemonldap-ng-common/t/45-importMetadata.t Normal file
View File

@ -0,0 +1,163 @@
#!/usr/bin/perl
use Test::More;
use strict;
use warnings;
use Storable qw/dclone/;
require_ok('./scripts/importMetadata');
my $xml;
{
local $/ = undef; # Slurp mode
open XML, "t/data/preview-all-test-metadata.xml" or die;
$xml = <XML>;
close XML;
}
my $lmConf = {};
my $importConf = {};
# Run import
my ( $spCounters, $idpCounters ) =
transform_config( $importConf, $lmConf, $xml );
# Check statistics
is_deeply(
$spCounters,
{
'created' => 47,
'found' => 48,
'ignored' => 0,
'rejected' => 1,
'removed' => 0,
'updated' => 0
},
"SP counters are expected"
);
is_deeply(
$idpCounters,
{
'created' => 12,
'found' => 13,
'ignored' => 0,
'rejected' => 1,
'removed' => 0,
'updated' => 0
},
"IDP counters are expected"
);
is( keys %{ $lmConf->{samlIDPMetaDataXML} }, 12,
"Correct amount of providers" );
is( keys %{ $lmConf->{samlIDPMetaDataExportedAttributes} },
12, "Correct amount of providers" );
is( keys %{ $lmConf->{samlIDPMetaDataOptions} },
12, "Correct amount of providers" );
is( keys %{ $lmConf->{samlSPMetaDataXML} }, 47, "Correct amount of providers" );
is( keys %{ $lmConf->{samlSPMetaDataExportedAttributes} },
47, "Correct amount of providers" );
is( keys %{ $lmConf->{samlSPMetaDataOptions} },
47, "Correct amount of providers" );
my $idp = "idp-idp-test-insa-rennes-fr-idp-shibboleth";
my $sp = "sp-ucopia-univ-brest-fr";
is(
$lmConf->{samlIDPMetaDataExportedAttributes}->{$idp}
->{eduPersonPrincipalName},
'0;eduPersonPrincipalName', "Found exported attribute"
);
is(
$lmConf->{samlSPMetaDataExportedAttributes}->{$sp}->{supannEtablissement},
join( ';',
0,
'urn:oid:1.3.6.1.4.1.7135.1.2.1.14',
'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
'supannEtablissement' ),
"Found optional attribute"
);
is(
$lmConf->{samlSPMetaDataExportedAttributes}->{$sp}->{uid},
join( ';',
1,
'urn:oid:0.9.2342.19200300.100.1.1',
'urn:oasis:names:tc:SAML:2.0:attrname-format:uri', 'uid' ),
"Found required attribute"
);
# Check update
$lmConf->{samlSPMetaDataOptions}->{$sp}
->{samlSPMetaDataOptionsCheckSSOMessageSignature} = 0;
$lmConf->{samlIDPMetaDataOptions}->{$idp}
->{samlIDPMetaDataOptionsAllowProxiedAuthn} = 1;
( $spCounters, $idpCounters ) = transform_config( $importConf, $lmConf, $xml );
# Check statistics
is_deeply(
$spCounters,
{
'created' => 0,
'found' => 48,
'ignored' => 0,
'rejected' => 1,
'removed' => 0,
'updated' => 1
},
"SP counters are expected"
);
is_deeply(
$idpCounters,
{
'created' => 0,
'found' => 13,
'ignored' => 0,
'rejected' => 1,
'removed' => 0,
'updated' => 1
},
"IDP counters are expected"
);
is(
$lmConf->{samlSPMetaDataOptions}->{$sp}
->{samlSPMetaDataOptionsCheckSSOMessageSignature},
1, "Configuration was updated"
);
is(
$lmConf->{samlIDPMetaDataOptions}->{$idp}
->{samlIDPMetaDataOptionsAllowProxiedAuthn},
0, "Configuration was updated"
);
# Check idempotence
my $oldLmConf = dclone $lmConf;
( $spCounters, $idpCounters ) = transform_config( $importConf, $lmConf, $xml );
is_deeply(
$spCounters,
{
'created' => 0,
'found' => 48,
'ignored' => 0,
'rejected' => 1,
'removed' => 0,
'updated' => 0
},
"SP counters are expected"
);
is_deeply(
$idpCounters,
{
'created' => 0,
'found' => 13,
'ignored' => 0,
'rejected' => 1,
'removed' => 0,
'updated' => 0
},
"IDP counters are expected"
);
is_deeply( $lmConf, $oldLmConf );
done_testing();

5784
lemonldap-ng-common/t/data/preview-all-test-metadata.xml Normal file
View File

File diff suppressed because it is too large Load Diff

1
lemonldap-ng-handler/MANIFEST
View File

@ -56,6 +56,7 @@ lib/Lemonldap/NG/Handler/Server/OAuth2.pm
lib/Lemonldap/NG/Handler/Server/SecureToken.pm
lib/Lemonldap/NG/Handler/Server/ServiceToken.pm
lib/Lemonldap/NG/Handler/Server/ZimbraPreAuth.pm
lib/Lemonldap/NG/SSOaaS/Apache/Client.pm
lib/Plack/Middleware/Auth/LemonldapNG.pm
Makefile.PL
MANIFEST This list of files

2
lemonldap-ng-handler/META.json
View File

@ -27,7 +27,7 @@
"Env" : "0",
"IO::Pipe" : "0",
"Test::MockObject" : "0",
"Test::Pod" : "0",
"Test::Pod" : "1",
"Time::Fake" : "0"
}
},

2
lemonldap-ng-handler/META.yml
View File

@ -8,7 +8,7 @@ build_requires:
Env: '0'
IO::Pipe: '0'
Test::MockObject: '0'
Test::Pod: '0'
Test::Pod: '1'
Time::Fake: '0'
configure_requires:
ExtUtils::MakeMaker: '0'

181
lemonldap-ng-handler/lib/Lemonldap/NG/Handler/ApacheMP2/FCGIClient.pm
View File

@ -1,184 +1,7 @@
# Apache2 FastCGI client to query remote LL::NG FastCGI server
#
package Lemonldap::NG::Handler::ApacheMP2::FCGIClient;
use strict;
use Apache2::Connection;
use Apache2::RequestUtil;
use Apache2::RequestRec;
use Apache2::Const -compile =>
qw(FORBIDDEN HTTP_UNAUTHORIZED REDIRECT OK DECLINED DONE SERVER_ERROR AUTH_REQUIRED HTTP_SERVICE_UNAVAILABLE);
use Apache2::Log;
use APR::Table;
use IO::Socket::INET;
use FCGI::Client;
use URI;
use URI::Escape qw(uri_unescape);
use Lemonldap::NG::SSOaaS::Apache::Client;
use constant FORBIDDEN => Apache2::Const::FORBIDDEN;
use constant HTTP_UNAUTHORIZED => Apache2::Const::HTTP_UNAUTHORIZED;
use constant REDIRECT => Apache2::Const::REDIRECT;
use constant DECLINED => Apache2::Const::DECLINED;
use constant SERVER_ERROR => Apache2::Const::SERVER_ERROR;
our $VERSION = '2.0.15';
sub handler {
my ( $class, $r ) = @_;
$r ||= $class;
my ( $uri, $args ) = ( $r->uri, $r->args );
my $uri_full = $uri . ( $args ? "?$args" : '' );
my $env = {
#%ENV,
HTTP_HOST => $r->hostname,
REMOTE_ADDR => (
$r->connection->can('remote_ip')
? $r->connection->remote_ip
: $r->connection->client_ip
),
QUERY_STRING => $args,
REQUEST_URI => $uri_full,
PATH_INFO => '',
SERVER_PORT => $r->get_server_port,
REQUEST_METHOD => $r->method,
};
foreach (qw(VHOSTTYPE RULES_URL HTTPS_REDIRECT PORT_REDIRECT)) {
if ( my $t = $r->dir_config($_) ) {
$env->{$_} = $t;
}
}
$r->headers_in->do(
sub {
my $h = shift;
my $k = uc($h);
if ( $k ne 'HOST' ) {
$k =~ s/-/_/g;
$env->{"HTTP_$k"} = $r->headers_in->{$h};
}
return 1;
}
);
$uri = URI->new( "http://" . $r->hostname . $r->unparsed_uri );
$env->{PATH_INFO} = uri_unescape( $uri->path );
my ( $host, $port ) = ( $r->dir_config('LLNG_SERVER') =~ /^(.*):(\d+)$/ );
unless ( $host and $port ) {
print STDERR 'Missing or bad LLNG_SERVER';
return SERVER_ERROR;
}
my $sock = IO::Socket::INET->new(
PeerAddr => $host,
PeerPort => $port,
) or die $!;
foreach ( keys %$env ) {
delete $env->{$_} unless ( length $env->{$_} );
}
my ( $stdout, $stderr, $status ) =
FCGI::Client::Connection->new( sock => $sock )->request($env);
my %hdrs =
map { s/\r//g; m/(.*?):\s*(.*)/; $_ ? ( $1, $2 ) : () } split /\n+/,
$stdout;
unless ( $hdrs{Status} =~ /^(\d+)\s+(.*?)$/ ) {
print STDERR "Bad status line $hdrs{Status}\n";
return SERVER_ERROR;
}
$status = $1;
if ( ( $status == 302 or $status == 401 ) and $hdrs{Location} ) {
$r->err_headers_out->set( Location => $hdrs{Location} );
return REDIRECT;
}
$r->user( $hdrs{'Lm-Remote-User'} ) if $hdrs{'Lm-Remote-User'};
$r->subprocess_env( REMOTE_CUSTOM => $hdrs{'Lm-Remote-Custom'} )
if $hdrs{'Lm-Remote-Custom'};
my $i = 1;
while ( $hdrs{"Headername$i"} ) {
$r->headers_in->set( $hdrs{"Headername$i"} => $hdrs{"Headervalue$i"} )
if $hdrs{"Headervalue$i"};
$i++;
}
$status = DECLINED if ( $status < 300 );
return $status;
}
our @ISA = ('Lemonldap::NG::SSOaaS::Apache::Client');
1;
__END__
=pod
=encoding utf8
=head1 NAME
Lemonldap::NG::Handler::ApacheMP2::FCGIClient - Apache client for Lemonldap::NG
FastCGI server.
=head1 SYNOPSIS
In apache2.conf:
<VirtualHost ...>
PerlHeaderParserHandler Lemonldap::NG::Handler::ApacheMP2::FCGIClient
PerlSetVar LLNG_SERVER 127.0.0.1:9090
PerlSetVar VHOSTTYPE DevOps
# or PerlSetVar VHOSTTYPE DevOpsST
PerlSetVar RULES_URL http://app.tld/rules.json
PerlSetVar HOST HTTP_HOST
PerlSetVar PORT_REDIRECT SERVER_PORT
PerlSetVar HTTPS_REDIRECT HTTPS
...
</VirtualHost>
=head1 DESCRIPTION
Lemonldap::NG::Handler::ApacheMP2::FCGIClient is an alternative to
L<Lemonldap::NG::Handler::ApacheMP2> that replace inside handler. It calls a
remote Lemonldap::NG FastCGI server to get authentication, authorization and
headers.
=head1 SEE ALSO
L<Lemonldap::NG::Handler::ApacheMP2>,
L<https://lemonldap-ng.org/documentation/latest/ssoaas>
=head1 AUTHORS
=over
=item LemonLDAP::NG team L<https://lemonldap-ng.org/team.html>
=back
=head1 BUG REPORT
Use OW2 system to report bug or ask for features:
L<https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues>
=head1 DOWNLOAD
Lemonldap::NG is available at
L<https://lemonldap-ng.org/download.html>
=head1 COPYRIGHT AND LICENSE
See COPYING file for details.
This library is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2, or (at your option)
any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see L<http://www.gnu.org/licenses/>.
=cut

2
lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Lib/DevOps.pm
View File

@ -104,7 +104,7 @@ q"I refuse to compile 'rules.json' when useSafeJail isn't activated! Yes I know,
$class->logger->debug("DevOps handler called by $vhost");
$class->locationRulesInit( undef, { $vhost => $json->{rules} } );
$class->headersInit( undef, { $vhost => $json->{headers} } );
$class->headersInit( undef, { $vhost => $json->{headers} } );
$class->tsv->{lastVhostUpdate}->{$vhost} = time;
$class->tsv->{https}->{$vhost} = uc $req->env->{HTTPS_REDIRECT} eq 'ON'
if exists $req->env->{HTTPS_REDIRECT};

5
lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Init.pm
View File

@ -1,6 +1,6 @@
package Lemonldap::NG::Handler::Main::Init;
our $VERSION = '2.0.6';
our $VERSION = '2.0.15';
package Lemonldap::NG::Handler::Main;
@ -50,7 +50,8 @@ sub init($$) {
# Set log level for Lemonldap::NG logs
sub logLevelInit {
my ($class) = @_;
my $logger = $class->localConfig->{logger} ||= $class->defaultLogger;
my $logger = $class->localConfig->{logger} ||=
$ENV{LLNG_DEFAULTLOGGER} || $class->defaultLogger;
eval "require $logger";
die $@ if ($@);
my $err;

9
lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Reload.pm
View File

@ -1,6 +1,6 @@
package Lemonldap::NG::Handler::Main::Reload;
our $VERSION = '2.0.14';
our $VERSION = '2.0.15';
package Lemonldap::NG::Handler::Main;
@ -205,7 +205,8 @@ sub jailInit {
sub defaultValuesInit {
my ( $class, $conf ) = @_;
$class->tsv->{$_} = $conf->{$_} foreach ( qw(
$class->tsv->{$_} = $conf->{$_}
foreach ( qw(
cookieExpiration cookieName customFunctions httpOnly
securedCookie timeout timeoutActivity
timeoutActivityInterval useRedirectOnError useRedirectOnForbidden
@ -214,7 +215,7 @@ sub defaultValuesInit {
authChoiceAuthBasic authChoiceParam hiddenAttributes
upgradeSession
)
);
);
$class->tsv->{cipher} = Lemonldap::NG::Common::Crypto->new( $conf->{key} );
@ -550,6 +551,7 @@ sub conditionSub {
# logout_app
if ( $cond =~ /^logout_app(?:\s+(.*))?$/i ) {
my $u = $1 || $class->tsv->{portal}->();
$class->logger->debug("logout_app redirect to $u");
eval 'use Apache2::Filter' unless ( $INC{"Apache2/Filter.pm"} );
return (
sub {
@ -565,6 +567,7 @@ sub conditionSub {
}
elsif ( $cond =~ /^logout_app_sso(?:\s+(.*))?$/i ) {
my $u = $1 || $class->tsv->{portal}->();
$class->logger->debug("logout_app_sso redirect to $u");
eval 'use Apache2::Filter' unless ( $INC{"Apache2/Filter.pm"} );
return (
sub {

41
lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Run.pm
View File

@ -1,7 +1,7 @@
# Main running methods file
package Lemonldap::NG::Handler::Main::Run;
our $VERSION = '2.0.14';
our $VERSION = '2.0.15';
package Lemonldap::NG::Handler::Main;
@ -227,6 +227,7 @@ sub run {
$class->cleanHeaders($req);
return $class->OK;
}
elsif ( $protection == $class->MAYSKIP
and $class->grant( $req, $session, $uri, $cond ) eq '999_SKIP' )
{
@ -327,8 +328,7 @@ sub getLevel {
}
}
if ($level) {
$class->logger->debug(
'Found AuthnLevel=' . $level . ' for "' . "$vhost$uri" . '"' );
$class->logger->debug("Found AuthnLevel=$level for \"$vhost$uri\"");
return $level;
}
else {
@ -345,7 +345,7 @@ sub getLevel {
sub grant {
my ( $class, $req, $session, $uri, $cond, $vhost ) = @_;
return $cond->( $req, $session ) if ($cond);
return $cond->( $req, $session ) if $cond;
$vhost ||= $class->resolveAlias($req);
my $level = $class->getLevel( $req, $uri );
@ -646,14 +646,10 @@ sub _getPort {
return $class->tsv->{port}->{$vhost};
}
else {
if ( defined $class->tsv->{port}->{_}
and ( $class->tsv->{port}->{_} > 0 ) )
{
return $class->tsv->{port}->{_};
}
else {
return $req->port;
}
return ( defined $class->tsv->{port}->{_}
and ( $class->tsv->{port}->{_} > 0 ) )
? $class->tsv->{port}->{_}
: $req->port;
}
}
@ -670,14 +666,10 @@ sub _isHttps {
return $class->tsv->{https}->{$vhost};
}
else {
if ( defined $class->tsv->{https}->{_}
and ( $class->tsv->{https}->{_} > -1 ) )
{
return $class->tsv->{https}->{_};
}
else {
return $req->secure;
}
return ( defined $class->tsv->{https}->{_}
and ( $class->tsv->{https}->{_} > -1 ) )
? $class->tsv->{https}->{_}
: $req->secure;
}
}
@ -715,9 +707,8 @@ sub isUnprotected {
$i++
)
{
if ( $uri =~ $class->tsv->{locationRegexp}->{$vhost}->[$i] ) {
return $class->tsv->{locationProtection}->{$vhost}->[$i];
}
return $class->tsv->{locationProtection}->{$vhost}->[$i]
if ( $uri =~ $class->tsv->{locationRegexp}->{$vhost}->[$i] );
}
return $class->tsv->{defaultProtection}->{$vhost};
}
@ -785,8 +776,8 @@ sub resolveAlias {
$vhost =~ s/:\d+//;
return $class->tsv->{vhostAlias}->{$vhost}
if ( $class->tsv->{vhostAlias}->{$vhost} );
return $vhost if ( $class->tsv->{defaultCondition}->{$vhost} );
if $class->tsv->{vhostAlias}->{$vhost};
return $vhost if $class->tsv->{defaultCondition}->{$vhost};
foreach ( @{ $class->tsv->{vhostReg} } ) {
return $_->[1] if $vhost =~ $_->[0];
}

4
lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Server/Main.pm
View File

@ -5,12 +5,14 @@ package Lemonldap::NG::Handler::Server::Main;
use strict;
our $VERSION = '2.0.10';
our $VERSION = '2.0.15';
use base 'Lemonldap::NG::Handler::PSGI::Main';
use constant defaultLogger => 'Lemonldap::NG::Common::Logger::Syslog';
$ENV{LLNG_DEFAULTLOGGER} ||= defaultLogger;
# In server mode, headers are not passed to a PSGI application but returned
# to the server

184
lemonldap-ng-handler/lib/Lemonldap/NG/SSOaaS/Apache/Client.pm Normal file
View File

@ -0,0 +1,184 @@
# Apache2 FastCGI client to query remote LL::NG FastCGI server
#
package Lemonldap::NG::SSOaaS::Apache::Client;
use strict;
use Apache2::Connection;
use Apache2::RequestUtil;
use Apache2::RequestRec;
use Apache2::Const -compile =>
qw(FORBIDDEN HTTP_UNAUTHORIZED REDIRECT OK DECLINED DONE SERVER_ERROR AUTH_REQUIRED HTTP_SERVICE_UNAVAILABLE);
use Apache2::Log;
use APR::Table;
use IO::Socket::INET;
use FCGI::Client;
use URI;
use URI::Escape qw(uri_unescape);
use constant FORBIDDEN => Apache2::Const::FORBIDDEN;
use constant HTTP_UNAUTHORIZED => Apache2::Const::HTTP_UNAUTHORIZED;
use constant REDIRECT => Apache2::Const::REDIRECT;
use constant DECLINED => Apache2::Const::DECLINED;
use constant SERVER_ERROR => Apache2::Const::SERVER_ERROR;
our $VERSION = '2.0.15';
sub handler {
my ( $class, $r ) = @_;
$r ||= $class;
my ( $uri, $args ) = ( $r->uri, $r->args );
my $uri_full = $uri . ( $args ? "?$args" : '' );
my $env = {
#%ENV,
HTTP_HOST => $r->hostname,
REMOTE_ADDR => (
$r->connection->can('remote_ip')
? $r->connection->remote_ip
: $r->connection->client_ip
),
QUERY_STRING => $args,
REQUEST_URI => $uri_full,
PATH_INFO => '',
SERVER_PORT => $r->get_server_port,
REQUEST_METHOD => $r->method,
};
foreach (qw(VHOSTTYPE RULES_URL HTTPS_REDIRECT PORT_REDIRECT)) {
if ( my $t = $r->dir_config($_) ) {
$env->{$_} = $t;
}
}
$r->headers_in->do(
sub {
my $h = shift;
my $k = uc($h);
if ( $k ne 'HOST' ) {
$k =~ s/-/_/g;
$env->{"HTTP_$k"} = $r->headers_in->{$h};
}
return 1;
}
);
$uri = URI->new( "http://" . $r->hostname . $r->unparsed_uri );
$env->{PATH_INFO} = uri_unescape( $uri->path );
my ( $host, $port ) = ( $r->dir_config('LLNG_SERVER') =~ /^(.*):(\d+)$/ );
unless ( $host and $port ) {
print STDERR 'Missing or bad LLNG_SERVER';
return SERVER_ERROR;
}
my $sock = IO::Socket::INET->new(
PeerAddr => $host,
PeerPort => $port,
) or die $!;
foreach ( keys %$env ) {
delete $env->{$_} unless ( length $env->{$_} );
}
my ( $stdout, $stderr, $status ) =
FCGI::Client::Connection->new( sock => $sock )->request($env);
my %hdrs =
map { s/\r//g; m/(.*?):\s*(.*)/; $_ ? ( $1, $2 ) : () } split /\n+/,
$stdout;
unless ( $hdrs{Status} =~ /^(\d+)\s+(.*?)$/ ) {
print STDERR "Bad status line $hdrs{Status}\n";
return SERVER_ERROR;
}
$status = $1;
if ( ( $status == 302 or $status == 401 ) and $hdrs{Location} ) {
$r->err_headers_out->set( Location => $hdrs{Location} );
return REDIRECT;
}
$r->user( $hdrs{'Lm-Remote-User'} ) if $hdrs{'Lm-Remote-User'};
$r->subprocess_env( REMOTE_CUSTOM => $hdrs{'Lm-Remote-Custom'} )
if $hdrs{'Lm-Remote-Custom'};
my $i = 1;
while ( $hdrs{"Headername$i"} ) {
$r->headers_in->set( $hdrs{"Headername$i"} => $hdrs{"Headervalue$i"} )
if $hdrs{"Headervalue$i"};
$i++;
}
$status = DECLINED if ( $status < 300 );
return $status;
}
1;
__END__
=pod
=encoding utf8
=head1 NAME
Lemonldap::NG::SSOaaS::Apache::Client - Apache client for Lemonldap::NG
FastCGI server.
=head1 SYNOPSIS
In apache2.conf:
<VirtualHost ...>
PerlHeaderParserHandler Lemonldap::NG::SSOaaS::Apache::Client
PerlSetVar LLNG_SERVER 127.0.0.1:9090
PerlSetVar VHOSTTYPE DevOps
# or PerlSetVar VHOSTTYPE DevOpsST
PerlSetVar RULES_URL http://app.tld/rules.json
PerlSetVar HOST HTTP_HOST
PerlSetVar PORT_REDIRECT SERVER_PORT
PerlSetVar HTTPS_REDIRECT HTTPS
...
</VirtualHost>
=head1 DESCRIPTION
Lemonldap::NG::SSOaaS::Apache::Client is an alternative to
L<Lemonldap::NG::Handler::ApacheMP2> that replace inside handler. It calls a
remote Lemonldap::NG FastCGI server to get authentication, authorization and
headers.
=head1 SEE ALSO
L<Lemonldap::NG::Handler::ApacheMP2>,
L<https://lemonldap-ng.org/documentation/latest/ssoaas>
=head1 AUTHORS
=over
=item LemonLDAP::NG team L<https://lemonldap-ng.org/team.html>
=back
=head1 BUG REPORT
Use OW2 system to report bug or ask for features:
L<https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues>
=head1 DOWNLOAD
Lemonldap::NG is available at
L<https://lemonldap-ng.org/download.html>
=head1 COPYRIGHT AND LICENSE
See COPYING file for details.
This library is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2, or (at your option)
any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see L<http://www.gnu.org/licenses/>.
=cut

2
lemonldap-ng-manager/MANIFEST
View File

@ -93,6 +93,8 @@ site/htdocs/static/bwr/es5-shim/es5-shim.min.js
site/htdocs/static/bwr/file-saver.js/FileSaver.js
site/htdocs/static/bwr/file-saver.js/FileSaver.min.js
site/htdocs/static/bwr/file-saver.js/FileSaver.min.js.map
site/htdocs/static/css/custom.css
site/htdocs/static/css/custom.min.css
site/htdocs/static/css/manager.css
site/htdocs/static/css/manager.min.css
site/htdocs/static/forms/authChoice.html

3
lemonldap-ng-manager/META.json
View File

@ -25,6 +25,7 @@
"Email::Sender" : "0",
"IO::String" : "0",
"Regexp::Common" : "0",
"Test::Output" : "0",
"Test::Pod" : "1"
}
},
@ -58,6 +59,6 @@
],
"x_MailingList" : "mailto:lemonldap-ng-dev@ow2.org"
},
"version" : "v2.0.14",
"version" : "v2.0.15",
"x_serialization_backend" : "JSON::PP version 4.04"
}

3
lemonldap-ng-manager/META.yml
View File

@ -6,6 +6,7 @@ build_requires:
Email::Sender: '0'
IO::String: '0'
Regexp::Common: '0'
Test::Output: '0'
Test::Pod: '1'
configure_requires:
ExtUtils::MakeMaker: '0'
@ -34,5 +35,5 @@ resources:
bugtracker: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues
homepage: https://lemonldap-ng.org/
license: http://opensource.org/licenses/GPL-2.0
version: v2.0.14
version: v2.0.15
x_serialization_backend: 'CPAN::Meta::YAML version 0.018'

11
lemonldap-ng-manager/lib/Lemonldap/NG/Manager.pm
View File

@ -17,7 +17,7 @@ use JSON;
use Lemonldap::NG::Common::Conf::Constants;
use Lemonldap::NG::Common::PSGI::Constants;
our $VERSION = '2.0.14';
our $VERSION = '2.0.15';
extends qw(
Lemonldap::NG::Handler::PSGI::Router
@ -66,7 +66,7 @@ sub init {
my @res = ( "Lemonldap::NG::Manager::" . ucfirst($_) );
if ( my $tmp = $self->loadPlugin( @res, $conf ) ) {
$self->logger->debug("Plugin $_ loaded");
push @links, $_;
push @links, $_;
push @{ $self->loadedPlugins }, $tmp;
$self->hLoadedPlugins->{$_} = $tmp;
}
@ -183,10 +183,9 @@ sub javascript {
return
'var formPrefix=staticPrefix+"forms/";var confPrefix=scriptname+"confs/";var viewPrefix=scriptname+"view/";'
. 'var allowDiff=' . "$res;"
. 'var impPrefix=' . "'"
. $impPrefix . "'" . ';'
. 'var sessionTTL=' . "$ttl;"
. "var allowDiff=$res;"
. "var sessionTTL=$ttl;"
. "var impPrefix='$impPrefix';"
. ( $self->links ? 'var links=' . to_json( $self->links ) . ';' : '' )
. (
$self->menuLinks

39
lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm
View File

@ -1,7 +1,7 @@
# This file is generated by Lemonldap::NG::Manager::Build. Don't modify it by hand
package Lemonldap::NG::Manager::Attributes;
our $VERSION = '2.0.14';
our $VERSION = '2.0.15';
sub perlExpr {
my($val, $conf) = @_;
@ -659,6 +659,9 @@ sub attributes {
'default' => 30,
'type' => 'int'
},
'captcha' => {
'type' => 'PerlModule'
},
'captcha_login_enabled' => {
'default' => 0,
'type' => 'bool'
@ -675,6 +678,9 @@ sub attributes {
'default' => 6,
'type' => 'int'
},
'captchaOptions' => {
'type' => 'keyTextContainer'
},
'casAccessControlPolicy' => {
'default' => 'none',
'select' => [
@ -776,6 +782,10 @@ sub attributes {
'default' => 0,
'type' => 'bool'
},
'casSrvMetaDataOptionsResolutionRule' => {
'default' => '',
'type' => 'longtext'
},
'casSrvMetaDataOptionsSortNumber' => {
'type' => 'int'
},
@ -1367,6 +1377,9 @@ sub attributes {
'ext2fLogo' => {
'type' => 'text'
},
'ext2fResendInterval' => {
'type' => 'text'
},
'ext2FSendCommand' => {
'type' => 'text'
},
@ -1974,6 +1987,9 @@ sub attributes {
'mail2fLogo' => {
'type' => 'text'
},
'mail2fResendInterval' => {
'type' => 'text'
},
'mail2fSessionKey' => {
'type' => 'text'
},
@ -2255,6 +2271,10 @@ sub attributes {
'oidcOPMetaDataOptionsPrompt' => {
'type' => 'text'
},
'oidcOPMetaDataOptionsResolutionRule' => {
'default' => '',
'type' => 'longtext'
},
'oidcOPMetaDataOptionsScope' => {
'default' => 'openid profile',
'type' => 'text'
@ -2430,6 +2450,10 @@ sub attributes {
],
'type' => 'select'
},
'oidcRPMetaDataOptionsLogoutBypassConfirm' => {
'default' => 0,
'type' => 'bool'
},
'oidcRPMetaDataOptionsLogoutSessionRequired' => {
'default' => 0,
'type' => 'bool'
@ -3178,6 +3202,9 @@ sub attributes {
'rest2fAuthnLevel' => {
'type' => 'int'
},
'rest2fCodeActivation' => {
'type' => 'pcre'
},
'rest2fInitArgs' => {
'keyMsgFail' => '__badKeyName__',
'keyTest' => qr/^\w+$/,
@ -3194,6 +3221,9 @@ sub attributes {
'rest2fLogo' => {
'type' => 'text'
},
'rest2fResendInterval' => {
'type' => 'text'
},
'rest2fVerifyArgs' => {
'type' => 'keyTextContainer'
},
@ -3932,6 +3962,10 @@ sub attributes {
'default' => 0,
'type' => 'bool'
},
'scrollTop' => {
'default' => 400,
'type' => 'int'
},
'securedCookie' => {
'default' => 0,
'select' => [
@ -4009,6 +4043,9 @@ sub attributes {
},
'type' => 'sfExtraContainer'
},
'sfLoginTimeout' => {
'type' => 'int'
},
'sfManagerRule' => {
'default' => 1,
'type' => 'boolOrExpr'

52
lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm
View File

@ -6,7 +6,7 @@
package Lemonldap::NG::Manager::Build::Attributes;
our $VERSION = '2.0.14';
our $VERSION = '2.0.15';
use strict;
use Regexp::Common qw/URI/;
@ -425,6 +425,11 @@ sub attributes {
default => 1,
documentation => 'Display langs icons',
},
scrollTop => {
type => 'int',
default => 400,
documentation => 'Display back to top button',
},
staticPrefix => {
type => 'text',
documentation => 'Prefix of static files for HTML templates',
@ -1504,6 +1509,16 @@ sub attributes {
default => 6,
documentation => 'Captcha size',
},
captcha => {
type => 'PerlModule',
documentation => 'Captcha backend module',
flags => 'hp',
},
captchaOptions => {
type => 'keyTextContainer',
documentation => 'Captcha module options',
flags => 'hp',
},
# Variables
exportedVars => {
@ -2040,6 +2055,10 @@ sub attributes {
type => 'int',
documentation => 'Second factor code timeout',
},
mail2fResendInterval => {
type => 'text',
documentation => 'Delay before user is allowed to resend code',
},
mail2fAuthnLevel => {
type => 'int',
documentation =>
@ -2077,6 +2096,10 @@ sub attributes {
type => 'text',
documentation => 'Validation command of External second factor',
},
ext2fResendInterval => {
type => 'text',
documentation => 'Delay before user is allowed to resend code',
},
ext2fAuthnLevel => {
type => 'int',
documentation =>
@ -2128,6 +2151,10 @@ sub attributes {
default => 0,
documentation => 'REST second factor activation',
},
rest2fCodeActivation => {
type => 'pcre',
documentation => 'OTP generated by Portal',
},
rest2fInitUrl => {
type => 'url',
documentation => 'REST 2F init URL',
@ -2152,6 +2179,10 @@ sub attributes {
type => 'keyTextContainer',
documentation => 'Args for REST 2F init',
},
rest2fResendInterval => {
type => 'text',
documentation => 'Delay before user is allowed to resend code',
},
rest2fAuthnLevel => {
type => 'int',
documentation =>
@ -3399,6 +3430,10 @@ sub attributes {
help => 'secondfactor.html',
documentation => 'Notification message',
},
sfLoginTimeout => {
type => 'int',
documentation => 'Timeout for 2F login process',
},
sfRegisterTimeout => {
type => 'int',
documentation => 'Timeout for 2F registration process',
@ -3703,6 +3738,10 @@ m{^(?:ldapi://[^/]*/?|\w[\w\-\.]*(?::\d{1,5})?|ldap(?:s|\+tls)?://\w[\w\-\.]*(?:
type => 'int',
documentation => 'Number to sort buttons',
},
casSrvMetaDataOptionsResolutionRule => {
type => 'longtext',
default => '',
},
# Fake attribute: used by manager REST API to agglomerate all nodes
# related to a CAS IDP partner
@ -4402,6 +4441,10 @@ m{^(?:ldapi://[^/]*/?|\w[\w\-\.]*(?::\d{1,5})?|ldap(?:s|\+tls)?://\w[\w\-\.]*(?:
oidcOPMetaDataOptionsIcon => { type => 'text', },
oidcOPMetaDataOptionsStoreIDToken => { type => 'bool', default => 0 },
oidcOPMetaDataOptionsSortNumber => { type => 'int', },
oidcOPMetaDataOptionsResolutionRule => {
type => 'longtext',
default => '',
},
# OpenID Connect relying parties
oidcRPMetaDataExportedVars => {
@ -4479,7 +4522,12 @@ m{^(?:ldapi://[^/]*/?|\w[\w\-\.]*(?::\d{1,5})?|ldap(?:s|\+tls)?://\w[\w\-\.]*(?:
default => 0
},
oidcRPMetaDataOptionsPostLogoutRedirectUris => { type => 'text', },
oidcRPMetaDataOptionsLogoutUrl => {
oidcRPMetaDataOptionsLogoutBypassConfirm => {
type => 'bool',
default => 0,
documentation => 'Bypass logout confirmation'
},
oidcRPMetaDataOptionsLogoutUrl => {
type => 'url',
documentation => 'Logout URL',
},

7
lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/CTrees.pm
View File

@ -14,7 +14,7 @@
package Lemonldap::NG::Manager::Build::CTrees;
our $VERSION = '2.0.14';
our $VERSION = '2.0.15';
sub cTrees {
return {
@ -82,7 +82,6 @@ sub cTrees {
help => 'authsaml.html#options',
form => 'simpleInputContainer',
nodes => [
'samlIDPMetaDataOptionsResolutionRule',
'samlIDPMetaDataOptionsNameIDFormat',
'samlIDPMetaDataOptionsForceAuthn',
'samlIDPMetaDataOptionsIsPassive',
@ -98,6 +97,7 @@ sub cTrees {
nodes => [
"samlIDPMetaDataOptionsDisplayName",
"samlIDPMetaDataOptionsIcon",
'samlIDPMetaDataOptionsResolutionRule',
"samlIDPMetaDataOptionsSortNumber"
]
}
@ -186,6 +186,7 @@ sub cTrees {
nodes => [
'oidcOPMetaDataOptionsDisplayName',
'oidcOPMetaDataOptionsIcon',
'oidcOPMetaDataOptionsResolutionRule',
'oidcOPMetaDataOptionsSortNumber'
]
},
@ -249,6 +250,7 @@ sub cTrees {
title => 'logout',
form => 'simpleInputContainer',
nodes => [
'oidcRPMetaDataOptionsLogoutBypassConfirm',
'oidcRPMetaDataOptionsPostLogoutRedirectUris',
'oidcRPMetaDataOptionsLogoutUrl',
'oidcRPMetaDataOptionsLogoutType',
@ -285,6 +287,7 @@ sub cTrees {
nodes => [
'casSrvMetaDataOptionsDisplayName',
'casSrvMetaDataOptionsIcon',
'casSrvMetaDataOptionsResolutionRule',
'casSrvMetaDataOptionsSortNumber',
]
},

41
lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Tree.pm
View File

@ -17,7 +17,7 @@
package Lemonldap::NG::Manager::Build::Tree;
our $VERSION = '2.0.14';
our $VERSION = '2.0.15';
# TODO: Missing:
# * activeTimer
@ -55,6 +55,7 @@ sub tree {
'portalMainLogo',
'portalFavicon',
'showLanguages',
'scrollTop',
'portalCustomCss',
'portalSkin',
'portalSkinBackground',
@ -73,7 +74,7 @@ sub tree {
},
{
title => 'passwordManagement',
help =>
help =>
'portalcustom.html#password-management',
form => 'simpleInputContainer',
nodes => [
@ -100,7 +101,7 @@ sub tree {
},
{
title => 'portalOther',
help =>
help =>
'portalcustom.html#other-parameters',
form => 'simpleInputContainer',
nodes => [
@ -117,20 +118,24 @@ sub tree {
},
{
title => 'portalCaptcha',
help => 'captcha.html',
form => 'simpleInputContainer',
help => 'captcha.html#configuration',
nodes => [
'captcha_login_enabled',
'captcha_mail_enabled',
'captcha_register_enabled',
'captcha_size',
{
title => 'captchaCustom',
help => 'captcha.html#configuration',
nodes => [ 'captcha', 'captchaOptions', ]
},
]
}
]
},
{
title => 'authParams',
help =>
help =>
'start.html#authentication-users-and-password-databases',
form => 'authParams',
nodes => [
@ -651,7 +656,7 @@ sub tree {
},
{
title => 'soapServices',
help =>
help =>
'portalservers.html#SOAP_(deprecated)',
form => 'simpleInputContainer',
nodes => [
@ -685,7 +690,7 @@ sub tree {
'notificationStorageOptions',
{
title => 'serverNotification',
help =>
help =>
'notifications.html#notification-server',
nodes => [
'notificationServer',
@ -897,6 +902,7 @@ sub tree {
'sfManagerRule',
'sfRequired',
'sfOnlyUpgrade',
'sfLoginTimeout',
'sfRegisterTimeout',
{
title => 'utotp2f',
@ -965,8 +971,8 @@ sub tree {
'mail2fActivation', 'mail2fCodeRegex',
'mail2fTimeout', 'mail2fSubject',
'mail2fBody', 'mail2fSessionKey',
'mail2fAuthnLevel', 'mail2fLabel',
'mail2fLogo'
'mail2fResendInterval', 'mail2fAuthnLevel',
'mail2fLabel', 'mail2fLogo'
]
},
{
@ -974,10 +980,10 @@ sub tree {
help => 'external2f.html',
form => 'simpleInputContainer',
nodes => [
'ext2fActivation', 'ext2fCodeActivation',
'ext2fActivation', 'ext2fCodeActivation',
'ext2FSendCommand', 'ext2FValidateCommand',
'ext2fAuthnLevel', 'ext2fLabel',
'ext2fLogo'
'ext2fResendInterval', 'ext2fAuthnLevel',
'ext2fLabel', 'ext2fLogo',
]
},
{
@ -1000,10 +1006,11 @@ sub tree {
help => 'rest2f.html',
form => 'simpleInputContainer',
nodes => [
'rest2fActivation', 'rest2fInitUrl',
'rest2fInitArgs', 'rest2fVerifyUrl',
'rest2fVerifyArgs', 'rest2fAuthnLevel',
'rest2fLabel', 'rest2fLogo'
'rest2fActivation', 'rest2fCodeActivation',
'rest2fInitUrl', 'rest2fInitArgs',
'rest2fVerifyUrl', 'rest2fVerifyArgs',
'rest2fResendInterval', 'rest2fAuthnLevel',
'rest2fLabel', 'rest2fLogo'
]
},
{

20
lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Conf/Tests.pm
View File

@ -8,7 +8,7 @@ use Lemonldap::NG::Handler::Main;
use Lemonldap::NG::Common::Util qw(getSameSite);
use URI;
our $VERSION = '2.0.14';
our $VERSION = '2.0.15';
## @method hashref tests(hashref conf)
# Return a hash ref where keys are the names of the tests and values
@ -552,22 +552,18 @@ sub tests {
}
# Use WebAuthn
if ( $conf->{webauthn2fActivation} )
{
if ( $conf->{webauthn2fActivation} ) {
eval "use Authen::WebAuthn";
return ( 1,
"Authen::WebAuthn module is required to enable WebAuthn"
) if ($@);
"Authen::WebAuthn module is required to enable WebAuthn" )
if ($@);
}
# WebAuthn requires https://
if ( $conf->{webauthn2fActivation} )
{
my $portal_uri = URI->new($conf->{portal});
unless ($portal_uri->scheme eq "https") {
return ( 1,
"WebAuthn requires HTTPS"
);
if ( $conf->{webauthn2fActivation} ) {
my $portal_uri = URI->new( $conf->{portal} );
unless ( $portal_uri->scheme eq "https" ) {
return ( 1, "WebAuthn requires HTTPS" );
}
}

2
lemonldap-ng-manager/site/coffee/sessions.coffee
View File

@ -114,7 +114,7 @@ categories =
saml: ['_idp', '_idpConfKey', '_samlToken', '_lassoSessionDump', '_lassoIdentityDump']
groups: ['groups', 'hGroups']
ldap: ['dn']
OpenIDConnect: ['_oidc_id_token', '_oidc_OP', '_oidc_access_token']
OpenIDConnect: ['_oidc_id_token', '_oidc_OP', '_oidc_access_token', '_oidc_refresh_token', '_oidc_access_token_eol']
sfaTitle: ['_2fDevices']
oidcConsents: ['_oidcConsents']

3
lemonldap-ng-manager/site/htdocs/static/css/custom.css Normal file
View File

@ -0,0 +1,3 @@
#navbar {
background-color: #ffb84d;
}

1
lemonldap-ng-manager/site/htdocs/static/css/custom.min.css vendored Normal file
View File

@ -0,0 +1 @@
#navbar{background-color:#ffb84d}

35
lemonldap-ng-manager/site/htdocs/static/js/conftree.js
View File

@ -146,6 +146,13 @@ function templates(tpl,key) {
"id" : tpl+"s/"+key+"/"+"casSrvMetaDataOptionsIcon",
"title" : "casSrvMetaDataOptionsIcon"
},
{
"default" : "",
"get" : tpl+"s/"+key+"/"+"casSrvMetaDataOptionsResolutionRule",
"id" : tpl+"s/"+key+"/"+"casSrvMetaDataOptionsResolutionRule",
"title" : "casSrvMetaDataOptionsResolutionRule",
"type" : "longtext"
},
{
"get" : tpl+"s/"+key+"/"+"casSrvMetaDataOptionsSortNumber",
"id" : tpl+"s/"+key+"/"+"casSrvMetaDataOptionsSortNumber",
@ -362,6 +369,13 @@ function templates(tpl,key) {
"id" : tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsIcon",
"title" : "oidcOPMetaDataOptionsIcon"
},
{
"default" : "",
"get" : tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsResolutionRule",
"id" : tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsResolutionRule",
"title" : "oidcOPMetaDataOptionsResolutionRule",
"type" : "longtext"
},
{
"get" : tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsSortNumber",
"id" : tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsSortNumber",
@ -695,6 +709,13 @@ function templates(tpl,key) {
},
{
"_nodes" : [
{
"default" : 0,
"get" : tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsLogoutBypassConfirm",
"id" : tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsLogoutBypassConfirm",
"title" : "oidcRPMetaDataOptionsLogoutBypassConfirm",
"type" : "bool"
},
{
"get" : tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsPostLogoutRedirectUris",
"id" : tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsPostLogoutRedirectUris",
@ -976,13 +997,6 @@ function templates(tpl,key) {
},
{
"_nodes" : [
{
"default" : "",
"get" : tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsResolutionRule",
"id" : tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsResolutionRule",
"title" : "samlIDPMetaDataOptionsResolutionRule",
"type" : "longtext"
},
{
"default" : "",
"get" : tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsNameIDFormat",
@ -1114,6 +1128,13 @@ function templates(tpl,key) {
"id" : tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsIcon",
"title" : "samlIDPMetaDataOptionsIcon"
},
{
"default" : "",
"get" : tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsResolutionRule",
"id" : tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsResolutionRule",
"title" : "samlIDPMetaDataOptionsResolutionRule",
"type" : "longtext"
},
{
"get" : tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsSortNumber",
"id" : tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsSortNumber",

2
lemonldap-ng-manager/site/htdocs/static/js/conftree.min.js vendored
View File

File diff suppressed because one or more lines are too long

2
lemonldap-ng-manager/site/htdocs/static/js/conftree.min.js.map
View File

File diff suppressed because one or more lines are too long

2
lemonldap-ng-manager/site/htdocs/static/js/sessions.js
View File

@ -126,7 +126,7 @@
saml: ['_idp', '_idpConfKey', '_samlToken', '_lassoSessionDump', '_lassoIdentityDump'],
groups: ['groups', 'hGroups'],
ldap: ['dn'],
OpenIDConnect: ['_oidc_id_token', '_oidc_OP', '_oidc_access_token'],
OpenIDConnect: ['_oidc_id_token', '_oidc_OP', '_oidc_access_token', '_oidc_refresh_token', '_oidc_access_token_eol'],
sfaTitle: ['_2fDevices'],
oidcConsents: ['_oidcConsents']
};

2
lemonldap-ng-manager/site/htdocs/static/js/sessions.min.js vendored
View File

File diff suppressed because one or more lines are too long

2
lemonldap-ng-manager/site/htdocs/static/js/sessions.min.js.map
View File

File diff suppressed because one or more lines are too long

12
lemonldap-ng-manager/site/htdocs/static/languages/ar.json
View File

@ -131,6 +131,9 @@
"bruteForceProtectionMaxLockTime":"Maximum lock time",
"bruteForceProtectionTempo":"Lock time",
"cancel":"إلغاء",
"captcha":"Captcha module",
"captchaCustom":"Custom Captcha module",
"captchaOptions":"Captcha module options",
"captcha_login_enabled":"التفعيل في استمارة تسجيل الدخول",
"captcha_mail_enabled":"التفعيل في إعادة تعيين كلمة المرور بواسطة استمارة البريد",
"captcha_register_enabled":"التفعيل في استمارة التسجيل",
@ -161,6 +164,7 @@
"casSrvMetaDataOptionsIcon":"مسارالأيقونة",
"casSrvMetaDataOptionsProxiedServices":"خدمات البروكسي",
"casSrvMetaDataOptionsRenew":"تجديد إثبات الهوية",
"casSrvMetaDataOptionsResolutionRule":"حل القاعدة",
"casSrvMetaDataOptionsSortNumber":"Order",
"casSrvMetaDataOptionsUrl":" يو أر ل الخادم",
"casSrvName":"اسم خادم كاس",
@ -350,6 +354,7 @@
"ext2fCodeActivation":"Code regex",
"ext2fLabel":"Label",
"ext2fLogo":"شعار",
"ext2fResendInterval":"Re-send interval",
"facebookAppId":"هوية تطبيق فاسيبوك",
"facebookAppSecret":"كلمة السرلتطبيق فاسيبوك",
"facebookAuthnLevel":"مستوى إثبات الهوية",
@ -527,6 +532,7 @@
"mail2fCodeRegex":"Code regex",
"mail2fLabel":"Label",
"mail2fLogo":"شعار",
"mail2fResendInterval":"Re-send interval",
"mail2fSessionKey":"مفتاح الجلسة الذي يحتوي على عنوان البريد الإلكتروني",
"mail2fSubject":"نجاح عنوان البريد",
"mail2fTimeout":"Code timeout",
@ -652,6 +658,7 @@
"oidcOPMetaDataOptionsMaxAge":"الحد الأقصى للعمر",
"oidcOPMetaDataOptionsPrompt":"عاجل",
"oidcOPMetaDataOptionsProtocol":"بروتوكول",
"oidcOPMetaDataOptionsResolutionRule":"حل القاعدة",
"oidcOPMetaDataOptionsScope":"نطاق",
"oidcOPMetaDataOptionsSortNumber":"Order",
"oidcOPMetaDataOptionsStoreIDToken":"مخزن تعريف التوكن",
@ -689,6 +696,7 @@
"oidcRPMetaDataOptionsIDTokenForceClaims":"Force claims to be returned in ID Token",
"oidcRPMetaDataOptionsIDTokenSignAlg":"خوارزمية توقيع آي دي التوكن",
"oidcRPMetaDataOptionsIcon":"شعار",
"oidcRPMetaDataOptionsLogoutBypassConfirm":"Bypass confirm",
"oidcRPMetaDataOptionsLogoutSessionRequired":"جلسة مطلوب",
"oidcRPMetaDataOptionsLogoutType":"نوع",
"oidcRPMetaDataOptionsLogoutUrl":"يو آر إل",
@ -889,11 +897,13 @@
"requireToken":"يتطلب توكن للإستمارة",
"rest2f":"REST second factor",
"rest2fActivation":"تفعيل",
"rest2fCodeActivation":"Code regex",
"rest2fAuthnLevel":"مستوى إثبات الهوية",
"rest2fInitArgs":"Init arguments",
"rest2fInitUrl":"Init URL",
"rest2fLabel":"Label",
"rest2fLogo":"شعار",
"rest2fResendInterval":"Re-send interval",
"rest2fVerifyArgs":"Verify arguments",
"rest2fVerifyUrl":"Verify URL",
"restAuthServer":"Authentication server",
@ -1060,6 +1070,7 @@
"saveReport":"احفظ التقرير",
"savingConfirmation":"حفظ التأكيد",
"scope":"نطاق",
"scrollTop":"Scroll to top button",
"search":"Search...",
"secondFactors":"Second factors",
"securedCookie":"ملفات تعريف الارتباط المضمونة (سسل)",
@ -1079,6 +1090,7 @@
"session_s":"جلسة( أو جلسات )",
"sessions":"الجلسات",
"sfExtra":"Additional second factors",
"sfLoginTimeout":"Login timeout",
"sfManagerRule":"Display Manager link",
"sfOnlyUpgrade":"Use 2FA for session upgrade",
"sfRegisterTimeout":"Registration timeout",

12
lemonldap-ng-manager/site/htdocs/static/languages/en.json
View File

@ -131,6 +131,9 @@
"bruteForceProtectionMaxLockTime":"Maximum lock time",
"bruteForceProtectionTempo":"Lock time",
"cancel":"Cancel",
"captcha":"Captcha module",
"captchaCustom":"Custom Captcha module",
"captchaOptions":"Captcha module options",
"captcha_login_enabled":"Activation in login form",
"captcha_mail_enabled":"Activation in password reset by mail form",
"captcha_register_enabled":"Activation in register form",
@ -161,6 +164,7 @@
"casSrvMetaDataOptionsIcon":"Icon path",
"casSrvMetaDataOptionsProxiedServices":"Proxied services",
"casSrvMetaDataOptionsRenew":"Renew authentication",
"casSrvMetaDataOptionsResolutionRule":"Resolution rule",
"casSrvMetaDataOptionsSortNumber":"Order",
"casSrvMetaDataOptionsUrl":"Server URL",
"casSrvName":"CAS Server Name",
@ -350,6 +354,7 @@
"ext2fCodeActivation":"Code regex",
"ext2fLabel":"Label",
"ext2fLogo":"Logo",
"ext2fResendInterval":"Re-send interval",
"facebookAppId":"Facebook application ID",
"facebookAppSecret":"Facebook application secret",
"facebookAuthnLevel":"Authentication level",
@ -527,6 +532,7 @@
"mail2fCodeRegex":"Code regex",
"mail2fLabel":"Label",
"mail2fLogo":"Logo",
"mail2fResendInterval":"Re-send interval",
"mail2fSessionKey":"Session key containing mail address",
"mail2fSubject":"Mail subject",
"mail2fTimeout":"Code timeout",
@ -652,6 +658,7 @@
"oidcOPMetaDataOptionsMaxAge":"Max age",
"oidcOPMetaDataOptionsPrompt":"Prompt",
"oidcOPMetaDataOptionsProtocol":"Protocol",
"oidcOPMetaDataOptionsResolutionRule":"Resolution rule",
"oidcOPMetaDataOptionsScope":"Scope",
"oidcOPMetaDataOptionsSortNumber":"Order",
"oidcOPMetaDataOptionsStoreIDToken":"Store ID Token",
@ -689,6 +696,7 @@
"oidcRPMetaDataOptionsIDTokenForceClaims":"Force claims to be returned in ID Token",
"oidcRPMetaDataOptionsIDTokenSignAlg":"ID Token signature algorithm",
"oidcRPMetaDataOptionsIcon":"Logo",
"oidcRPMetaDataOptionsLogoutBypassConfirm":"Bypass confirm",
"oidcRPMetaDataOptionsLogoutSessionRequired":"Session required",
"oidcRPMetaDataOptionsLogoutType":"Type",
"oidcRPMetaDataOptionsLogoutUrl":"URL",
@ -889,11 +897,13 @@
"requireToken":"Require token for forms",
"rest2f":"REST second factor",
"rest2fActivation":"Activation",
"rest2fCodeActivation":"Code regex",
"rest2fAuthnLevel":"Authentication level",
"rest2fInitArgs":"Init arguments",
"rest2fInitUrl":"Init URL",
"rest2fLabel":"Label",
"rest2fLogo":"Logo",
"rest2fResendInterval":"Re-send interval",
"rest2fVerifyArgs":"Verify arguments",
"rest2fVerifyUrl":"Verify URL",
"restAuthServer":"Authentication server",
@ -1060,6 +1070,7 @@
"saveReport":"Save report",
"savingConfirmation":"Saving confirmation",
"scope":"Scope",
"scrollTop":"Scroll to top button",
"search":"Search...",
"secondFactors":"Second factors",
"securedCookie":"Secured Cookie (SSL)",
@ -1079,6 +1090,7 @@
"session_s":"session(s)",
"sessions":"Sessions",
"sfExtra":"Additional second factors",
"sfLoginTimeout":"Login timeout",
"sfManagerRule":"Display Manager link",
"sfOnlyUpgrade":"Use 2FA for session upgrade",
"sfRegisterTimeout":"Registration timeout",

12
lemonldap-ng-manager/site/htdocs/static/languages/es.json
View File

@ -131,6 +131,9 @@
"bruteForceProtectionMaxLockTime":"Maximum lock time",
"bruteForceProtectionTempo":"Lock time",
"cancel":"Cancelar",
"captcha":"Captcha module",
"captchaCustom":"Custom Captcha module",
"captchaOptions":"Captcha module options",
"captcha_login_enabled":"Activación en formulario de acceso",
"captcha_mail_enabled":"Activación en formulario de restauración por correo",
"captcha_register_enabled":"Activación en formulario de registro",
@ -161,6 +164,7 @@
"casSrvMetaDataOptionsIcon":"Icon path",
"casSrvMetaDataOptionsProxiedServices":"Servicios proxificados",
"casSrvMetaDataOptionsRenew":"Renovar autentificación",
"casSrvMetaDataOptionsResolutionRule":"Resolution rule",
"casSrvMetaDataOptionsSortNumber":"Orden",
"casSrvMetaDataOptionsUrl":"URL de servicio",
"casSrvName":"Nombre de servidor CAS",
@ -350,6 +354,7 @@
"ext2fCodeActivation":"Expresión regular",
"ext2fLabel":"Etiqueta",
"ext2fLogo":"Logo",
"ext2fResendInterval":"Re-send interval",
"facebookAppId":"Facebook application ID",
"facebookAppSecret":"Facebook application secret",
"facebookAuthnLevel":"Nivel de autentificación",
@ -527,6 +532,7 @@
"mail2fCodeRegex":"Regex",
"mail2fLabel":"Etiqueta",
"mail2fLogo":"Logotipo",
"mail2fResendInterval":"Re-send interval",
"mail2fSessionKey":"Clave de sesión que contiene dirección de correo",
"mail2fSubject":"Subject del correo",
"mail2fTimeout":"Caducidad de código",
@ -652,6 +658,7 @@
"oidcOPMetaDataOptionsMaxAge":"Max age",
"oidcOPMetaDataOptionsPrompt":"Prompt",
"oidcOPMetaDataOptionsProtocol":"Protocolo",
"oidcOPMetaDataOptionsResolutionRule":"Resolution rule",
"oidcOPMetaDataOptionsScope":"Ámbito",
"oidcOPMetaDataOptionsSortNumber":"Orden",
"oidcOPMetaDataOptionsStoreIDToken":"Guardar token ID",
@ -689,6 +696,7 @@
"oidcRPMetaDataOptionsIDTokenForceClaims":"Force claims to be returned in ID Token",
"oidcRPMetaDataOptionsIDTokenSignAlg":"Algoritmo de firma del token ID",
"oidcRPMetaDataOptionsIcon":"Logotipo",
"oidcRPMetaDataOptionsLogoutBypassConfirm":"Bypass confirm",
"oidcRPMetaDataOptionsLogoutSessionRequired":"Se requiere sesión",
"oidcRPMetaDataOptionsLogoutType":"Tipo",
"oidcRPMetaDataOptionsLogoutUrl":"URL",
@ -889,11 +897,13 @@
"requireToken":"Require token for forms",
"rest2f":"Previo",
"rest2fActivation":"Activación",
"rest2fCodeActivation":"Regex",
"rest2fAuthnLevel":"Nivel de autentificación",
"rest2fInitArgs":"Argumentos de inicio",
"rest2fInitUrl":"URL de inicio",
"rest2fLabel":"Etiqueta",
"rest2fLogo":"Logotipo",
"rest2fResendInterval":"Re-send interval",
"rest2fVerifyArgs":"Verificar argumentos",
"rest2fVerifyUrl":"Verificar URL",
"restAuthServer":"Authentication server",
@ -1060,6 +1070,7 @@
"saveReport":"Salvar informe",
"savingConfirmation":"Salvando confirmación",
"scope":"Ámbito",
"scrollTop":"Scroll to top button",
"search":"Buscar...",
"secondFactors":"Segundos factores",
"securedCookie":"Cookie segura (SSL)",
@ -1079,6 +1090,7 @@
"session_s":"sesión(es)",
"sessions":"Sesiones",
"sfExtra":"Segundos factores adicionales",
"sfLoginTimeout":"Login timeout",
"sfManagerRule":"Display Manager link",
"sfOnlyUpgrade":"Use 2FA for session upgrade",
"sfRegisterTimeout":"Registration timeout",

14
lemonldap-ng-manager/site/htdocs/static/languages/fr.json
View File

@ -131,6 +131,9 @@
"bruteForceProtectionMaxLockTime":"Temps maximum de verrouillage",
"bruteForceProtectionTempo":"Temps de verrouillage",
"cancel":"Annuler",
"captcha":"Module Captcha",
"captchaCustom":"Module Captcha personnalisé",
"captchaOptions":"Options du module Captcha",
"captcha_login_enabled":"Activation dans le formulaire d'authentification",
"captcha_mail_enabled":"Activation dans le formulaire de réinitialisation par mail",
"captcha_register_enabled":"Activation dans le formulaire de création de compte",
@ -161,6 +164,7 @@
"casSrvMetaDataOptionsIcon":"Chemin de l'icône",
"casSrvMetaDataOptionsProxiedServices":"Services mandatés",
"casSrvMetaDataOptionsRenew":"Renouveler l'authentification",
"casSrvMetaDataOptionsResolutionRule":"Règle de résolution",
"casSrvMetaDataOptionsSortNumber":"Ordre",
"casSrvMetaDataOptionsUrl":"URL du serveur",
"casSrvName":"Nom du serveur CAS",
@ -350,6 +354,7 @@
"ext2fCodeActivation":"Expression régulière pour la génération du code",
"ext2fLabel":"Label",
"ext2fLogo":"Logo",
"ext2fResendInterval":"Intervalle de retransmission",
"facebookAppId":"ID de l'application Facebook",
"facebookAppSecret":"Secret de l'application Facebook",
"facebookAuthnLevel":"Niveau d'authentification",
@ -527,6 +532,7 @@
"mail2fCodeRegex":"Expression régulière pour la génération du code",
"mail2fLabel":"Label",
"mail2fLogo":"Logo",
"mail2fResendInterval":"Intervalle de retransmission",
"mail2fSessionKey":"Clef de session contenant l'adresse email",
"mail2fSubject":"Sujet du message d'envoi du code",
"mail2fTimeout":"Délai d'expiration du code",
@ -652,6 +658,7 @@
"oidcOPMetaDataOptionsMaxAge":"Age maximum",
"oidcOPMetaDataOptionsPrompt":"Interaction",
"oidcOPMetaDataOptionsProtocol":"Protocole",
"oidcOPMetaDataOptionsResolutionRule":"Règle de résolution",
"oidcOPMetaDataOptionsScope":"Scope",
"oidcOPMetaDataOptionsSortNumber":"Ordre",
"oidcOPMetaDataOptionsStoreIDToken":"Conserver le jeton d'identité",
@ -689,6 +696,7 @@
"oidcRPMetaDataOptionsIDTokenForceClaims":"Forcer la publication des attributs dans le jeton d'identité",
"oidcRPMetaDataOptionsIDTokenSignAlg":"Algorithme de signature des jetons d'identité",
"oidcRPMetaDataOptionsIcon":"Logo",
"oidcRPMetaDataOptionsLogoutBypassConfirm":"Contourner la confirmation",
"oidcRPMetaDataOptionsLogoutSessionRequired":"Session requise",
"oidcRPMetaDataOptionsLogoutType":"Type",
"oidcRPMetaDataOptionsLogoutUrl":"URL",
@ -889,11 +897,13 @@
"requireToken":"Exiger un jeton pour les formulaires",
"rest2f":"Second facteur REST",
"rest2fActivation":"Activation",
"rest2fCodeActivation":"Expression régulière pour la génération du code",
"rest2fAuthnLevel":"Niveau d'authentification",
"rest2fInitArgs":"Arguments d'initialisation",
"rest2fInitUrl":"URL d'initialisation",
"rest2fLabel":"Label",
"rest2fLogo":"Logo",
"rest2fResendInterval":"Intervalle de retransmission",
"rest2fVerifyArgs":"Arguments de vérification",
"rest2fVerifyUrl":"URL de vérification",
"restAuthServer":"Serveur d'authentification",
@ -1060,7 +1070,8 @@
"saveReport":"Rapport de sauvegarde",
"savingConfirmation":"Confirmation de sauvegarde",
"scope":"Scope",
"search":"Rechercher ...",
"scrollTop":"Retour en haut de page",
"search":"Rechercher...",
"secondFactors":"Seconds facteurs",
"securedCookie":"Cookie sécurisé (HTTPS)",
"security":"Sécurité",
@ -1079,6 +1090,7 @@
"session_s":"session(s)",
"sessions":"Sessions",
"sfExtra":"Seconds facteurs additionnels",
"sfLoginTimeout":"Délai maximum d'authentification",
"sfManagerRule":"Afficher le lien du Gestionnaire",
"sfOnlyUpgrade":"Utiliser le SF pour augmenter le niveau d'authentification",
"sfRegisterTimeout":"Délai d'expiration de l'enregistrement",

12
lemonldap-ng-manager/site/htdocs/static/languages/he.json
View File

@ -131,6 +131,9 @@
"bruteForceProtectionMaxLockTime":"זמן הנעילה המרבי",
"bruteForceProtectionTempo":"זמן נעילה",
"cancel":"ביטול",
"captcha":"Captcha module",
"captchaCustom":"Custom Captcha module",
"captchaOptions":"Captcha module options",
"captcha_login_enabled":"הפעלה בטופס הכניסה",
"captcha_mail_enabled":"הפעלה באיפוס סיסמה בטופס בדוא״ל",
"captcha_register_enabled":"הפעלה בטופס הרשמה",
@ -161,6 +164,7 @@
"casSrvMetaDataOptionsIcon":"נתיב לסמל",
"casSrvMetaDataOptionsProxiedServices":"שירותים מתווכים",
"casSrvMetaDataOptionsRenew":"חידוש אימות",
"casSrvMetaDataOptionsResolutionRule":"Resolution rule",
"casSrvMetaDataOptionsSortNumber":"סדר",
"casSrvMetaDataOptionsUrl":"כתובת שרת",
"casSrvName":"CAS Server Name",
@ -350,6 +354,7 @@
"ext2fCodeActivation":"Code regex",
"ext2fLabel":"תווית",
"ext2fLogo":"לוגו",
"ext2fResendInterval":"Re-send interval",
"facebookAppId":"מזהה יישום פייסבוק",
"facebookAppSecret":"סוג יישום פייסבוק",
"facebookAuthnLevel":"דרגת אימות",
@ -527,6 +532,7 @@
"mail2fCodeRegex":"Code regex",
"mail2fLabel":"תווית",
"mail2fLogo":"לוגו",
"mail2fResendInterval":"Re-send interval",
"mail2fSessionKey":"מפתח הפעלה שמכיל כתובת דוא״ל",
"mail2fSubject":"נושא הדוא״ל",
"mail2fTimeout":"Code timeout",
@ -652,6 +658,7 @@
"oidcOPMetaDataOptionsMaxAge":"גיל מרבי",
"oidcOPMetaDataOptionsPrompt":"Prompt",
"oidcOPMetaDataOptionsProtocol":"פרוטוקול",
"oidcOPMetaDataOptionsResolutionRule":"Resolution rule",
"oidcOPMetaDataOptionsScope":"היקף",
"oidcOPMetaDataOptionsSortNumber":"סדר",
"oidcOPMetaDataOptionsStoreIDToken":"Store ID Token",
@ -689,6 +696,7 @@
"oidcRPMetaDataOptionsIDTokenForceClaims":"Force claims to be returned in ID Token",
"oidcRPMetaDataOptionsIDTokenSignAlg":"אלגוריתם חתימת אסימון זיהוי",
"oidcRPMetaDataOptionsIcon":"לוגו",
"oidcRPMetaDataOptionsLogoutBypassConfirm":"Bypass confirm",
"oidcRPMetaDataOptionsLogoutSessionRequired":"נדרשת הפעלה",
"oidcRPMetaDataOptionsLogoutType":"סוג",
"oidcRPMetaDataOptionsLogoutUrl":"כתובת",
@ -889,11 +897,13 @@
"requireToken":"דרישת אסימון לטפסים",
"rest2f":"אימות דו־שלבי ב־REST",
"rest2fActivation":"הפעלה",
"rest2fCodeActivation":"Code regex",
"rest2fAuthnLevel":"דרגת אימות",
"rest2fInitArgs":"Init arguments",
"rest2fInitUrl":"כתובת אתחול",
"rest2fLabel":"תווית",
"rest2fLogo":"לוגו",
"rest2fResendInterval":"Re-send interval",
"rest2fVerifyArgs":"Verify arguments",
"rest2fVerifyUrl":"כתובת וידוא",
"restAuthServer":"שרת אימות",
@ -1060,6 +1070,7 @@
"saveReport":"שמירת דוח",
"savingConfirmation":"Saving confirmation",
"scope":"היקף",
"scrollTop":"Scroll to top button",
"search":"חיפוש…",
"secondFactors":"Second factors",
"securedCookie":"Secured Cookie (SSL)",
@ -1079,6 +1090,7 @@
"session_s":"session(s)",
"sessions":"הפעלות",
"sfExtra":"Additional second factors",
"sfLoginTimeout":"Login timeout",
"sfManagerRule":"Display Manager link",
"sfOnlyUpgrade":"Use 2FA for session upgrade",
"sfRegisterTimeout":"Registration timeout",

12
lemonldap-ng-manager/site/htdocs/static/languages/it.json
View File

@ -131,6 +131,9 @@
"bruteForceProtectionMaxLockTime":"Maximum lock time",
"bruteForceProtectionTempo":"Lock time",
"cancel":"Cancella",
"captcha":"Captcha module",
"captchaCustom":"Custom Captcha module",
"captchaOptions":"Captcha module options",
"captcha_login_enabled":"Attivazione nel modulo di login",
"captcha_mail_enabled":"Attivazione della reimpostazione della password tramite modulo di posta",
"captcha_register_enabled":"Attivazione nel formulario di registro",
@ -161,6 +164,7 @@
"casSrvMetaDataOptionsIcon":"Path icona",
"casSrvMetaDataOptionsProxiedServices":"Servizi Proxied",
"casSrvMetaDataOptionsRenew":"Rinnova l'autenticazione",
"casSrvMetaDataOptionsResolutionRule":"Regola di risoluzione",
"casSrvMetaDataOptionsSortNumber":"Ordine",
"casSrvMetaDataOptionsUrl":"URL del server",
"casSrvName":"NOme del Server CAS",
@ -350,6 +354,7 @@
"ext2fCodeActivation":"Codice regex",
"ext2fLabel":"Label",
"ext2fLogo":"Logo",
"ext2fResendInterval":"Re-send interval",
"facebookAppId":"ID dell'applicazione Facebook",
"facebookAppSecret":"Segreto dell'applicazione Facebook",
"facebookAuthnLevel":"Livello di autenticazione",
@ -527,6 +532,7 @@
"mail2fCodeRegex":"Codice regex",
"mail2fLabel":"Label",
"mail2fLogo":"Logo",
"mail2fResendInterval":"Re-send interval",
"mail2fSessionKey":"Chiave di sessione contenente l'indirizzo di posta",
"mail2fSubject":"Oggetto della mail",
"mail2fTimeout":"Codice timeout",
@ -652,6 +658,7 @@
"oidcOPMetaDataOptionsMaxAge":"Età massima",
"oidcOPMetaDataOptionsPrompt":"Richiesta",
"oidcOPMetaDataOptionsProtocol":"Protocollo",
"oidcOPMetaDataOptionsResolutionRule":"Regola di risoluzione",
"oidcOPMetaDataOptionsScope":"Scopo",
"oidcOPMetaDataOptionsSortNumber":"Ordine",
"oidcOPMetaDataOptionsStoreIDToken":"Immagazzina ID Token",
@ -689,6 +696,7 @@
"oidcRPMetaDataOptionsIDTokenForceClaims":"Force claims to be returned in ID Token",
"oidcRPMetaDataOptionsIDTokenSignAlg":"Algoritmo di firma di identificazione di Token",
"oidcRPMetaDataOptionsIcon":"Logo",
"oidcRPMetaDataOptionsLogoutBypassConfirm":"Bypass confirm",
"oidcRPMetaDataOptionsLogoutSessionRequired":"Sessione necessaria",
"oidcRPMetaDataOptionsLogoutType":"Tipo",
"oidcRPMetaDataOptionsLogoutUrl":"URL",
@ -889,11 +897,13 @@
"requireToken":"Richiede il token per i moduli",
"rest2f":"REST secondo fattore",
"rest2fActivation":"Attivazione",
"rest2fCodeActivation":"Codice regex",
"rest2fAuthnLevel":"Livello di autenticazione",
"rest2fInitArgs":"Argomenti di init",
"rest2fInitUrl":"URL iniziale",
"rest2fLabel":"Label",
"rest2fLogo":"Logo",
"rest2fResendInterval":"Re-send interval",
"rest2fVerifyArgs":"Verifica argomenti",
"rest2fVerifyUrl":"Verifica UR",
"restAuthServer":"Authentication server",
@ -1060,6 +1070,7 @@
"saveReport":"Salva report",
"savingConfirmation":"Salvataggio della conferma",
"scope":"Ambito",
"scrollTop":"Scroll to top button",
"search":"Cerca...",
"secondFactors":"Secondi fattori",
"securedCookie":"Cookie protetti (SSL)",
@ -1079,6 +1090,7 @@
"session_s":"sessione(i)",
"sessions":"Sessioni",
"sfExtra":"Additional second factors",
"sfLoginTimeout":"Login timeout",
"sfManagerRule":"Display Manager link",
"sfOnlyUpgrade":"Use 2FA for session upgrade",
"sfRegisterTimeout":"Registration timeout",

130
lemonldap-ng-manager/site/htdocs/static/languages/pl.json
View File

@ -76,8 +76,8 @@
"authAndUserdb":"Authz i baza danych użytkownika",
"authChain":"Łańcuch uwierzytelnienia",
"authChoice":"Wybór uwierzytelnienia",
"authChoiceAuthBasic":"Choice used for password authentication",
"authChoiceFindUser":"Choice used for searching user account",
"authChoiceAuthBasic":"Wybór używany do uwierzytelniania hasłem",
"authChoiceFindUser":"Wybór używany do wyszukiwania konta użytkownika",
"authChoiceModules":"Dozwolone moduły",
"authChoiceParam":"Parametr adresu URL",
"authOnly":"Tylko uwierzytelnianie",
@ -128,9 +128,12 @@
"bruteForceProtectionLockTimes":"Przyrostowe czasy blokady",
"bruteForceProtectionMaxAge":"Maksymalny czas ważności",
"bruteForceProtectionMaxFailed":"Dozwolone nieudane logowania",
"bruteForceProtectionMaxLockTime":"Maximum lock time",
"bruteForceProtectionMaxLockTime":"Maksymalny czas blokady",
"bruteForceProtectionTempo":"Czas blokady",
"cancel":"Anuluj",
"captcha":"Captcha module",
"captchaCustom":"Custom Captcha module",
"captchaOptions":"Captcha module options",
"captcha_login_enabled":"Aktywacja w formularzu logowania",
"captcha_mail_enabled":"Aktywacja przy resetowaniu hasła za pomocą formularza pocztowego",
"captcha_register_enabled":"Aktywacja w formularzu rejestracji",
@ -161,13 +164,14 @@
"casSrvMetaDataOptionsIcon":"Ścieżka ikony",
"casSrvMetaDataOptionsProxiedServices":"Usługi proxy",
"casSrvMetaDataOptionsRenew":"Odnów uwierzytelnianie",
"casSrvMetaDataOptionsResolutionRule":"Reguła rozstrzygania",
"casSrvMetaDataOptionsSortNumber":"Kolejność",
"casSrvMetaDataOptionsUrl":"URL serwera",
"casSrvName":"Nazwa serwera CAS",
"casStorage":"Nazwa modułu sesji CAS",
"casStorageOptions":"Opcje modułu sesji CAS",
"casStrictMatching":"Use strict URL matching",
"casTicketExpiration":"Temporary ticket lifetime",
"casStrictMatching":"Użyj ścisłego dopasowania adresów URL",
"casTicketExpiration":"Czas życia biletu tymczasowego",
"categoryName":"Nazwa Kategorii",
"cda":"Wiele domen",
"certificateMailContent":"Treść wiadomości",
@ -183,9 +187,9 @@
"cfgLog":"Podsumowanie",
"cfgVersion":"Wersja konfiguracji",
"checkDevOps":"Aktywacja",
"checkDevOpsCheckSessionAttributes":"Check session attributes",
"checkDevOpsDisplayNormalizedHeaders":"Display normalized headers",
"checkDevOpsDownload":"Download file",
"checkDevOpsCheckSessionAttributes":"Sprawdź atrybuty sesji",
"checkDevOpsDisplayNormalizedHeaders":"Wyświetl znormalizowane nagłówki",
"checkDevOpsDownload":"Pobieranie pliku",
"checkState":"Aktywacja",
"checkStateSecret":"Współdzielony sekret",
"checkUser":"Aktywacja",
@ -194,7 +198,7 @@
"checkUserDisplayEmptyHeaders":"Puste nagłówki",
"checkUserDisplayEmptyValues":"Puste wartości",
"checkUserDisplayHiddenAttributes":"Ukryte atrybuty",
"checkUserDisplayHistory":"History",
"checkUserDisplayHistory":"Historia",
"checkUserDisplayNormalizedHeaders":"Znormalizowane nagłówki",
"checkUserDisplayPersistentInfo":"Trwałe dane sesji",
"checkUserHiddenAttributes":"Ukryte atrybuty",
@ -249,7 +253,7 @@
"crowdsec":"Aktywacja",
"crowdsecAction":"Akcja",
"crowdsecKey":"Klucz API",
"crowdsecUrl":"Base URL of local API",
"crowdsecUrl":"Podstawowy adres URL lokalnego API",
"cspConnect":"Miejsca docelowe Ajax",
"cspDefault":"Domyślna wartość",
"cspFont":"Źródło czcionek",
@ -285,8 +289,8 @@
"dbiAuthUser":"Użytkownik",
"dbiAuthnLevel":"Poziom uwierzytelnienia",
"dbiConnection":"Połączenie",
"dbiConnectionAuth":"Authentication process",
"dbiConnectionUser":"User process",
"dbiConnectionAuth":"Proces uwierzytelniania",
"dbiConnectionUser":"Proces użytkownika",
"dbiDynamicHash":"dynamiczne haszowanie",
"dbiDynamicHashEnabled":"aktywacja dynamicznego haszowania",
"dbiDynamicHashNewPasswordScheme":"Dynamiczny schemat haszowania dla nowych haseł",
@ -315,7 +319,7 @@
"demoParams":"Parametry demonstracyjne",
"description":"Opis",
"dest":"Odbiorca",
"devOpsCheck":"Check DevOps handler file",
"devOpsCheck":"Sprawdź plik obsługi DevOps",
"diffViewer":"Przeglądarka różnic",
"diffWithPrevious":"różnica w stosunku do poprzednich",
"disablePersistentStorage":"Wyłącz przechowywanie",
@ -350,13 +354,14 @@
"ext2fCodeActivation":"Wyrażenie regularne kodu",
"ext2fLabel":"Etykieta",
"ext2fLogo":"Logo",
"ext2fResendInterval":"Re-send interval",
"facebookAppId":"Identyfikator aplikacji na Facebooku",
"facebookAppSecret":"Sekret aplikacji na Facebooku",
"facebookAuthnLevel":"Poziom uwierzytelnienia",
"facebookExportedVars":"Wyeksportowane zmienne",
"facebookParams":"Parametry Facebooka",
"facebookUserField":"Pole zawierające identyfikator użytkownika",
"failedLoginNumber":"Max failed logins count",
"failedLoginNumber":"Maksymalna liczba nieudanych logowań",
"fileToUpload":"Plik do przesłania",
"findUser":"Aktywacja",
"findUserControl":"Kontrola parametrów",
@ -527,6 +532,7 @@
"mail2fCodeRegex":"Wyrażenie regularne kodu",
"mail2fLabel":"Etykieta",
"mail2fLogo":"Logo",
"mail2fResendInterval":"Re-send interval",
"mail2fSessionKey":"Klucz sesji zawierający adres e-mail",
"mail2fSubject":"Temat wiadomości",
"mail2fTimeout":"Limit czasu kodu",
@ -575,13 +581,13 @@
"newGrantRule":"Nowa reguła przyznawania",
"newHost":"Nowy host",
"newLocationWarning":"Aktywacja",
"newLocationWarningLocationAttribute":"Session attribute containing location",
"newLocationWarningLocationDisplayAttribute":"Session attribute to display",
"newLocationWarningMailAttribute":"Session mail attribute",
"newLocationWarningMailBody":"Warning mail content",
"newLocationWarningMailSubject":"Warning mail subject",
"newLocationWarningMaxValues":"Maximum number of locations to consider",
"newLocationWarnings":"New location warning",
"newLocationWarningLocationAttribute":"Atrybut sesji zawierający lokalizację",
"newLocationWarningLocationDisplayAttribute":"Atrybut sesji do wyświetlenia",
"newLocationWarningMailAttribute":"Atrybut poczty sesji",
"newLocationWarningMailBody":"Treść wiadomości z ostrzeżeniem",
"newLocationWarningMailSubject":"Temat wiadomości z ostrzeżeniem",
"newLocationWarningMaxValues":"Maksymalna liczba lokalizacji do rozważenia",
"newLocationWarnings":"Ostrzeżenie o nowej lokalizacji",
"newPost":"Nowy formularz powtórzenia",
"newPostVar":"Nowa zmienna",
"newRSAKey":"Nowe klucze",
@ -652,6 +658,7 @@
"oidcOPMetaDataOptionsMaxAge":"Maksymalny czas ważności",
"oidcOPMetaDataOptionsPrompt":"Prompt",
"oidcOPMetaDataOptionsProtocol":"Protokół",
"oidcOPMetaDataOptionsResolutionRule":"Reguła rozstrzygania",
"oidcOPMetaDataOptionsScope":"Zakres",
"oidcOPMetaDataOptionsSortNumber":"Kolejność",
"oidcOPMetaDataOptionsStoreIDToken":"Przechowuj token identyfikacyjny",
@ -662,13 +669,13 @@
"oidcParams":"Parametry OpenID Connect",
"oidcRP":"Strona zależna od OpenID Connect",
"oidcRPCallbackGetParam":"Parametr GET wywołania zwrotnego",
"oidcRPMetaDataExportedVars":"Exported attributes (claims)",
"oidcRPMetaDataExportedVars":"Wyeksportowane atrybuty (claims)",
"oidcRPMetaDataMacros":"Makra",
"oidcRPMetaDataNode":"Strony zależne od OpenID Connect",
"oidcRPMetaDataNodes":"Strony zależne od OpenID Connect",
"oidcRPMetaDataOptions":"Opcje",
"oidcRPMetaDataOptionsAccessTokenClaims":"Zwolnij oświadczenia w tokenie dostępu",
"oidcRPMetaDataOptionsAccessTokenExpiration":"Access Tokens",
"oidcRPMetaDataOptionsAccessTokenExpiration":"Tokeny dostępowy",
"oidcRPMetaDataOptionsAccessTokenJWT":"Użyj formatu JWT dla tokenu dostępu",
"oidcRPMetaDataOptionsAccessTokenSignAlg":"Algorytm podpisu tokena dostępu",
"oidcRPMetaDataOptionsAdditionalAudiences":"Dodatkowi odbiorcy",
@ -677,18 +684,19 @@
"oidcRPMetaDataOptionsAllowOffline":"Zezwalaj na dostęp offline",
"oidcRPMetaDataOptionsAllowPasswordGrant":"Zezwól na przyznanie hasła OAuth2.0",
"oidcRPMetaDataOptionsAuthnLevel":"Poziom uwierzytelnienia",
"oidcRPMetaDataOptionsAuthorizationCodeExpiration":"Authorization Codes",
"oidcRPMetaDataOptionsAuthorizationCodeExpiration":"Kody autoryzacyjne",
"oidcRPMetaDataOptionsBasic":"Podstawowy",
"oidcRPMetaDataOptionsBypassConsent":"Obejdź zgodę",
"oidcRPMetaDataOptionsClientID":"Identyfikator klienta",
"oidcRPMetaDataOptionsClientSecret":"Sekret klienta",
"oidcRPMetaDataOptionsDisplay":"Wyświetlanie",
"oidcRPMetaDataOptionsDisplayName":"Wyświetlana nazwa",
"oidcRPMetaDataOptionsExtraClaims":"Scope values content",
"oidcRPMetaDataOptionsIDTokenExpiration":"ID Tokens",
"oidcRPMetaDataOptionsExtraClaims":"Treść wartości zakresu",
"oidcRPMetaDataOptionsIDTokenExpiration":"Tokeny identyfikacyjne",
"oidcRPMetaDataOptionsIDTokenForceClaims":"Wymuś zwrot roszczeń w tokenie identyfikacyjnym",
"oidcRPMetaDataOptionsIDTokenSignAlg":"Algorytm podpisu tokena identyfikacyjnego",
"oidcRPMetaDataOptionsIcon":"Logo",
"oidcRPMetaDataOptionsLogoutBypassConfirm":"Bypass confirm",
"oidcRPMetaDataOptionsLogoutSessionRequired":"Wymagana sesja",
"oidcRPMetaDataOptionsLogoutType":"Rodzaj",
"oidcRPMetaDataOptionsLogoutUrl":"URL",
@ -701,7 +709,7 @@
"oidcRPMetaDataOptionsRule":"Reguła dostępu",
"oidcRPMetaDataOptionsTimeouts":"Limit czasu",
"oidcRPMetaDataOptionsUserIDAttr":"Atrybut użytkownika",
"oidcRPMetaDataOptionsUserInfoSignAlg":"UserInfo response format",
"oidcRPMetaDataOptionsUserInfoSignAlg":"Format odpowiedzi UserInfo",
"oidcRPMetaDataScopeRules":"Zasady dotyczące zakresu",
"oidcRPName":"Nazwa RP OpenID Connect",
"oidcRPStateTimeout":"Limit czasu sesji stanowej",
@ -711,10 +719,10 @@
"oidcServiceAllowHybridFlow":"Przepływ hybrydowy",
"oidcServiceAllowImplicitFlow":"Implikowany przepływ",
"oidcServiceAllowOffline":"Zezwalaj na dostęp offline",
"oidcServiceAllowOnlyDeclaredScopes":"Only allow declared scopes",
"oidcServiceAuthorizationCodeExpiration":"Authorization Code",
"oidcServiceDynamicRegistration":"Dynamic registration",
"oidcServiceDynamicRegistrationExportedVars":"Exported vars",
"oidcServiceAllowOnlyDeclaredScopes":"Zezwalaj tylko na zadeklarowane zakresy",
"oidcServiceAuthorizationCodeExpiration":"Kod autoryzacji",
"oidcServiceDynamicRegistration":"Rejestracja dynamiczna",
"oidcServiceDynamicRegistrationExportedVars":"Wyeksportowane zmienne",
"oidcServiceDynamicRegistrationExtraClaims":"Dodatkowe roszczenia",
"oidcServiceIDTokenExpiration":"Token identyfikacyjny",
"oidcServiceKeyIdSig":"Identyfikator klucza podpisu",
@ -723,7 +731,7 @@
"oidcServiceMetaDataAuthorizeURI":"Autoryzacja",
"oidcServiceMetaDataBackChannelURI":"Identyfikator URI kanału zwrotnego",
"oidcServiceMetaDataCheckSessionURI":"Sprawdź sesję",
"oidcServiceMetaDataEndPoints":"Endpoints",
"oidcServiceMetaDataEndPoints":"Punkty końcowe",
"oidcServiceMetaDataEndSessionURI":"Koniec sesji",
"oidcServiceMetaDataFrontChannelURI":"Identyfikator URI kanału przedniego",
"oidcServiceMetaDataIntrospectionURI":"Introspekcja",
@ -734,9 +742,9 @@
"oidcServiceMetaDataSecurity":"Bezpieczeństwo",
"oidcServiceMetaDataSessions":"Sesje",
"oidcServiceMetaDataTimeouts":"Limit czasu",
"oidcServiceMetaDataTokenURI":"Tokens",
"oidcServiceMetaDataTokenURI":"Tokeny",
"oidcServiceMetaDataUserInfoURI":"Informacja o użytkowniku",
"oidcServiceOfflineSessionExpiration":"Offline session",
"oidcServiceOfflineSessionExpiration":"Sesja offline",
"oidcServicePrivateKeySig":"Klucz prywatny podpisu",
"oidcServicePublicKeySig":"Klucz publiczny podpisu",
"oidcStorage":"Nazwa modułu sesji",
@ -803,7 +811,7 @@
"portalDisplayRefreshMyRights":"Wyświetl link do odświeżania praw",
"portalDisplayRegister":"Zarejestruj Nowe Konto",
"portalDisplayResetPassword":"Zresetuj hasło",
"portalEnablePasswordDisplay":"Allow to display password",
"portalEnablePasswordDisplay":"Zezwól na wyświetlenie hasła",
"portalErrorOnExpiredSession":"Pokaż błąd w wygasłej sesji",
"portalErrorOnMailNotFound":"Pokaż błąd w poczcie nie znaleziono",
"portalFavicon":"Favicon",
@ -831,12 +839,12 @@
"previous":"Poprzedni",
"privateKey":"Prywatny klucz",
"proxyAuthService":"URL",
"proxyAuthServiceChoiceParam":"Choice parameter",
"proxyAuthServiceChoiceValue":"Choice value",
"proxyAuthServiceChoiceParam":"Parametr wyboru",
"proxyAuthServiceChoiceValue":"Wybór wartości",
"proxyAuthServiceImpersonation":"Personifikacja",
"proxyAuthnLevel":"Poziom uwierzytelnienia",
"proxyCookieName":"Nazwa ciasteczka",
"proxyInternalPortal":"Internal Portal",
"proxyInternalPortal":"Portal wewnętrzny",
"proxyParams":"Parametry proxy",
"proxySessionService":"Adres URL usługi sesji",
"proxyUseSoap":"Użyj SOAP zamiast REST",
@ -864,11 +872,11 @@
"regexp":"Wyrażenie regularne",
"regexps":"Wyrażenia regularne",
"register":"Zarejestruj nowe konto",
"registerConfirmBody":"Body for verification mail",
"registerConfirmSubject":"Subject for verification mail",
"registerConfirmBody":"Treść poczty weryfikacyjnej",
"registerConfirmSubject":"Temat wiadomości weryfikacyjnej",
"registerDB":"Moduł rejestracji",
"registerDoneBody":"Body for credentials mail",
"registerDoneSubject":"Subject for credentials mail",
"registerDoneBody":"Treść poczty uwierzytelniającej",
"registerDoneSubject":"Temat wiadomości z danymi uwierzytelniającymi",
"registerTimeout":"Termin ważności wniosku o rejestrację",
"registerUrl":"Zarejestruj adres URL strony",
"reloadParams":"Załaduj ponownie konfigurację",
@ -889,26 +897,28 @@
"requireToken":"Wymagaj tokena do formularzy",
"rest2f":"Drugi czynnik REST",
"rest2fActivation":"Aktywacja",
"rest2fCodeActivation":"Wyrażenie regularne kodu",
"rest2fAuthnLevel":"Poziom uwierzytelnienia",
"rest2fInitArgs":"Początkowe argumenty",
"rest2fInitUrl":"Początkowy adres URL",
"rest2fLabel":"Etykieta",
"rest2fLogo":"Logo",
"rest2fResendInterval":"Re-send interval",
"rest2fVerifyArgs":"Zweryfikuj argumenty",
"rest2fVerifyUrl":"Zweryfikuj adres URL",
"restAuthServer":"Authentication server",
"restAuthServer":"Serwer uwierzytelniania",
"restAuthUrl":"Adres URL uwierzytelnienia",
"restAuthnLevel":"Poziom uwierzytelnienia",
"restClockTolerance":"Server clock tolerance",
"restConfigServer":"Configuration server",
"restExportSecretKeys":"Export secret attributes",
"restClockTolerance":"Tolerancja zegara serwera",
"restConfigServer":"Serwer konfiguracji",
"restExportSecretKeys":"Eksportuj tajne atrybuty",
"restFindUserDBUrl":"Adres URL kont użytkowników",
"restParams":"Parametry REST",
"restPasswordServer":"Password reset server",
"restPasswordServer":"Serwer resetowania hasła",
"restPwdConfirmUrl":"Adres URL potwierdzenia hasła",
"restPwdModifyUrl":"URL zmiany hasła",
"restServices":"Usługa REST",
"restSessionServer":"Session server",
"restSessionServer":"Serwer sesji",
"restUserDBUrl":"Adres URL danych użytkownika",
"restore":"Przywróć",
"restoreConf":"Przywróć konfigurację",
@ -1060,6 +1070,7 @@
"saveReport":"Zapisz raport",
"savingConfirmation":"Zapisuję potwierdzenie",
"scope":"Zakres",
"scrollTop":"Scroll to top button",
"search":"Szukaj...",
"secondFactors":"Drugi czynnik",
"securedCookie":"Bezpieczne pliki cookie (SSL)",
@ -1079,9 +1090,10 @@
"session_s":"sesja/e",
"sessions":"Sesje",
"sfExtra":"Dodatkowe drugie czynniki",
"sfLoginTimeout":"Login timeout",
"sfManagerRule":"Link do Menedżera wyświetlania",
"sfOnlyUpgrade":"Użyj 2FA do aktualizacji sesji",
"sfRegisterTimeout":"Registration timeout",
"sfRegisterTimeout":"Limit czasu rejestracji",
"sfRemovedMsg":"Wyświetl komunikat, gdy przeterminowany 2FA został usunięty",
"sfRemovedMsgRule":"Aktywacja",
"sfRemovedNotifMsg":"Powiadomienie",
@ -1107,9 +1119,9 @@
"slaveMasterIP":"Adres IP mastera",
"slaveParams":"Parametry slave",
"slaveUserHeader":"Nagłówek logowania użytkownika",
"soapConfigServer":"Configuration server",
"soapConfigServer":"Serwer konfiguracji",
"soapServices":"Usługa SOAP",
"soapSessionServer":"Session server",
"soapSessionServer":"Serwer sesji",
"specialRule":"Reguła specjalna",
"sslByAjax":"Użyj żądania Ajax",
"sslHost":"Ajax SSL URL",
@ -1118,13 +1130,13 @@
"stateCheck":"Kontrola stanu",
"stayConnect":"Trwałe połączenia",
"stayConnected":"Aktywacja",
"stayConnectedBypassFG":"Do not check fingerprint",
"stayConnectedBypassFG":"Nie sprawdzaj odcisku palca",
"stayConnectedCookieName":"Nazwa ciasteczka",
"stayConnectedTimeout":"Data ważności",
"storePassword":"Przechowuj hasło użytkownika w sesji",
"string":"Łańcuch znaków",
"subtitle":"Podtytuł",
"successLoginNumber":"Max successful logins count",
"successLoginNumber":"Maksymalna liczba udanych logowań",
"successfullySaved":"Pomyślnie zapisano",
"sympaHandler":"Sympa",
"sympaMailKey":"Klucz sesji e-mail",
@ -1142,9 +1154,9 @@
"totp2fActivation":"Aktywacja",
"totp2fAuthnLevel":"Poziom uwierzytelnienia",
"totp2fDigits":"Ilość cyfr",
"totp2fEncryptSecret":"Encrypt TOTP secrets",
"totp2fEncryptSecret":"Szyfruj sekrety TOTP",
"totp2fInterval":"Interwał",
"totp2fIssuer":"Issuer name",
"totp2fIssuer":"Nazwa wystawcy",
"totp2fLabel":"Etykieta",
"totp2fLogo":"Logo",
"totp2fRange":"Zakres prób",
@ -1203,7 +1215,7 @@
"vhostAccessToTrace":"Dostęp do śledzenia",
"vhostAliases":"Aliasy",
"vhostAuthnLevel":"Wymagany poziom uwierzytelnienia",
"vhostDevOpsRulesUrl":"DevOps rules file URL",
"vhostDevOpsRulesUrl":"Adres URL pliku reguł DevOps",
"vhostHttps":"HTTPS",
"vhostMaintenance":"Tryb konserwacji",
"vhostOptions":"Opcje",
@ -1229,9 +1241,9 @@
"webauthn2fLogo":"Logo",
"webauthn2fSelfRegistration":"Samodzielna rejestracja",
"webauthn2fUserCanRemoveKey":"Pozwól użytkownikowi usunąć WebAuthn",
"webauthn2fUserVerification":"User verification",
"webauthnDisplayNameAttr":"User Display Name attribute",
"webauthnRpName":"Relying Party display name",
"webauthn2fUserVerification":"Weryfikacja użytkownika",
"webauthnDisplayNameAttr":"Atrybut nazwy wyświetlanej użytkownika",
"webauthnRpName":"Wyświetlana nazwa strony uzależnionej",
"webidParams":"Parametry WebID",
"whatToTrace":"REMOTE_USER",
"whiteList":"Biała lista",

12
lemonldap-ng-manager/site/htdocs/static/languages/tr.json
View File

@ -131,6 +131,9 @@
"bruteForceProtectionMaxLockTime":"Maksimum kilit süresi",
"bruteForceProtectionTempo":"Kilit süresi",
"cancel":"İptal Et",
"captcha":"Captcha modülü",
"captchaCustom":"Captcha modülünü özelleştir",
"captchaOptions":"Captcha modülü seçenekleri",
"captcha_login_enabled":"Giriş formunda aktivasyon",
"captcha_mail_enabled":"E-posta formu tarafından parola sıfırlamada aktivasyon",
"captcha_register_enabled":"Kayıt formunda aktivasyon",
@ -161,6 +164,7 @@
"casSrvMetaDataOptionsIcon":"İkon yolu",
"casSrvMetaDataOptionsProxiedServices":"Vekil sunucu servisleri",
"casSrvMetaDataOptionsRenew":"Kimlik doğrulamayı yenile",
"casSrvMetaDataOptionsResolutionRule":"Çözünürlük kuralı",
"casSrvMetaDataOptionsSortNumber":"Sıra",
"casSrvMetaDataOptionsUrl":"Sunucu URL'si",
"casSrvName":"CAS Sunucu Adı",
@ -350,6 +354,7 @@
"ext2fCodeActivation":"Düzenli ifade kodla",
"ext2fLabel":"Etiket",
"ext2fLogo":"Logo",
"ext2fResendInterval":"Yeniden gönderme aralığı",
"facebookAppId":"Facebook uygulama ID",
"facebookAppSecret":"Facebook uygulama gizli anahtar",
"facebookAuthnLevel":"Doğrulama seviyesi",
@ -527,6 +532,7 @@
"mail2fCodeRegex":"Düzenli ifade kodla",
"mail2fLabel":"Etiket",
"mail2fLogo":"Logo",
"mail2fResendInterval":"Yeniden gönderme aralığı",
"mail2fSessionKey":"Oturum anahtarı e-posta adresini içeriyor",
"mail2fSubject":"E-posta konusu",
"mail2fTimeout":"Kod zaman aşımı",
@ -652,6 +658,7 @@
"oidcOPMetaDataOptionsMaxAge":"Maksimum ömür",
"oidcOPMetaDataOptionsPrompt":"İstem",
"oidcOPMetaDataOptionsProtocol":"Protokol",
"oidcOPMetaDataOptionsResolutionRule":"Çözünürlük kuralı",
"oidcOPMetaDataOptionsScope":"Kapsam",
"oidcOPMetaDataOptionsSortNumber":"Sıra",
"oidcOPMetaDataOptionsStoreIDToken":"ID Jetonu Sakla",
@ -689,6 +696,7 @@
"oidcRPMetaDataOptionsIDTokenForceClaims":"ID Jetonunda özelliklerin yayınlanmasını zorla",
"oidcRPMetaDataOptionsIDTokenSignAlg":"ID Token imzalama algoritması",
"oidcRPMetaDataOptionsIcon":"Logo",
"oidcRPMetaDataOptionsLogoutBypassConfirm":"Doğrulamayı geç",
"oidcRPMetaDataOptionsLogoutSessionRequired":"Oturum gerekli",
"oidcRPMetaDataOptionsLogoutType":"Tür",
"oidcRPMetaDataOptionsLogoutUrl":"URL",
@ -889,11 +897,13 @@
"requireToken":"Formlar için jeton gerekir",
"rest2f":"REST ile ikinci faktör",
"rest2fActivation":"Aktivasyon",
"rest2fCodeActivation":"Düzenli ifade kodla",
"rest2fAuthnLevel":"Doğrulama seviyesi",
"rest2fInitArgs":"Başlangıç argümanları",
"rest2fInitUrl":"Başlangıç URL",
"rest2fLabel":"Etiket",
"rest2fLogo":"Logo",
"rest2fResendInterval":"Yeniden gönderme aralığı",
"rest2fVerifyArgs":"Argümanları Doğrula",
"rest2fVerifyUrl":"URL'yi Doğrula",
"restAuthServer":"Doğrulama sunucusu",
@ -1060,6 +1070,7 @@
"saveReport":"Raporu kaydet",
"savingConfirmation":"Doğrulama kaydediliyor",
"scope":"Kapsam",
"scrollTop":"Üst butonu kaydır",
"search":"Ara...",
"secondFactors":"İki faktörlü kimlik doğrulama",
"securedCookie":"Güvenli Çerez (SSL)",
@ -1079,6 +1090,7 @@
"session_s":"oturum(lar)",
"sessions":"Oturumlar",
"sfExtra":"Ek ikinci faktörler",
"sfLoginTimeout":"Oturum zaman aşımı",
"sfManagerRule":"Yönetici bağlantısını görüntüle",
"sfOnlyUpgrade":"Oturum yükseltme için 2FA kullan",
"sfRegisterTimeout":"Kayıtlanma zaman aşımı",

Some files were not shown because too many files have changed in this diff Show More