dani
/
lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/v2.0' into master

This commit is contained in:
Xavier Guimard 2020-09-22 13:05:37 +02:00
parent 17da7d2e6d a630ff429f
commit b8102d127e
160 changed files with 4602 additions and 685 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
COPYING
View File

@ -98,7 +98,7 @@ Comment: downloaded from
Files: lemonldap-ng-portal/site/htdocs/static/common/modules/GitHub.png
Copyright: GitHub
License: MIT
License: Expat
Comment: downloaded from
https://commons.wikimedia.org/wiki/File:Octicons-mark-github.svg
@ -138,13 +138,13 @@ Comment: This work, "decryptValue.png", is a derivative of
Files: lemonldap-ng-portal/site/htdocs/static/common/icons/switchcontext_OFF.png
Copyright: Christophe Maudoux <chrmdx@gmail.com>
License: CC-4
License: CC-BY-4.0
Comment: This work, "switchcontext_OFF.png", is a derivative of
"Theater-Masken - Silhouetten und kontur vektoren" by Natasha Sinegina, under CC-BY-4.0.
Files: lemonldap-ng-portal/site/htdocs/static/common/icons/switchcontext_ON.png
Copyright: Christophe Maudoux <chrmdx@gmail.com>
License: CC-4
License: CC-BY-4.0
Comment: This work, "switchcontext_ON.png", is a derivative of
"Theater-Masken - Silhouetten und kontur vektoren" by Natasha Sinegina, under CC-BY-4.0.
@ -242,22 +242,17 @@ Copyright: 2014-2015, Google Inc.
License: BSD-3-clause
Files: lemonldap-ng-portal/site/htdocs/static/common/apps/*
doc/pages/documentation/current/icons/*
doc/sources/admin/icons/*
Copyright: 2006-2007 Everaldo Coelho, Crystal Project
License: LGPL-3
Files: doc/pages/documentation/current/lib/images/*
Copyright: 2004-2012 Andreas Gohr <andi@splitbrain.org>
and the DokuWiki Community
License: GPL-2
Files: doc/pages/documentation/current/documentation/lasso*.png
Files: doc/sources/admin/documentation/lasso.png
Copyright: 2004, Entr'ouvert <https://www.entrouvert.com/>
2004, Florent Monnier
License: GPL-2+
Files: debian/*
Copyright: 2005-2019, Xavier Guimard <yadd@debian.org>
Copyright: 2005-2020, Xavier Guimard <yadd@debian.org>
License: GPL-2+
License: Apache-2.0
@ -740,7 +735,7 @@ License: CC-BY-NC-ND-3.0
title of the Work if supplied; (iii) to the extent reasonably
practicable, the URI, if any, that Licensor specifies to be associated
with the Work, unless such URI does not refer to the copyright notice or
licensing information for the Work. The credit required by this Section
licensing information for the Work. The credit required by this Section
(c) may be implemented in any reasonable manner; provided, however, that
in the case of a Collection, at a minimum such credit will appear, if a
credit for all contributing authors of Collection appears, then as part
@ -949,27 +944,27 @@ License: CC-BY-4.0
.
Attribution.
.
If You Share the Licensed Material (including in modified form), You
must: retain the following if it is supplied by the Licensor with the
Licensed Material: identification of the creator(s) of the Licensed
Material and any others designated to receive attribution, in any
reasonable manner requested by the Licensor (including by pseudonym if
designated); a copyright notice; a notice that refers to this Public
License; a notice that refers to the disclaimer of warranties; a URI or
hyperlink to the Licensed Material to the extent reasonably practicable;
indicate if You modified the Licensed Material and retain an indication
of any previous modifications; and indicate the Licensed Material is
licensed under this Public License, and include the text of, or the URI
or hyperlink to, this Public License. You may satisfy the conditions in
Section 3(a)(1) in any reasonable manner based on the medium, means, and
context in which You Share the Licensed Material. For example, it may be
reasonable to satisfy the conditions by providing a URI or hyperlink to
a resource that includes the required information. If requested by the
Licensor, You must remove any of the information required by Section
3(a)(1)(A) to the extent reasonably practicable. If You Share Adapted
Material You produce, the Adapter's License You apply must not prevent
recipients of the Adapted Material from complying with this Public
License.
If You Share the Licensed Material (including in modified form), You
must: retain the following if it is supplied by the Licensor with the
Licensed Material: identification of the creator(s) of the Licensed
Material and any others designated to receive attribution, in any
reasonable manner requested by the Licensor (including by pseudonym if
designated); a copyright notice; a notice that refers to this Public
License; a notice that refers to the disclaimer of warranties; a URI or
hyperlink to the Licensed Material to the extent reasonably practicable;
indicate if You modified the Licensed Material and retain an indication
of any previous modifications; and indicate the Licensed Material is
licensed under this Public License, and include the text of, or the URI
or hyperlink to, this Public License. You may satisfy the conditions in
Section 3(a)(1) in any reasonable manner based on the medium, means, and
context in which You Share the Licensed Material. For example, it may be
reasonable to satisfy the conditions by providing a URI or hyperlink to
a resource that includes the required information. If requested by the
Licensor, You must remove any of the information required by Section
3(a)(1)(A) to the extent reasonably practicable. If You Share Adapted
Material You produce, the Adapter's License You apply must not prevent
recipients of the Adapted Material from complying with this Public
License.
.
Section 4 Sui Generis Database Rights.
.

2
Makefile
View File

@ -332,7 +332,7 @@ $(SRCMANAGERDIR)/site/htdocs/static/js/%.js: $(SRCMANAGERDIR)/site/coffee/%.coff
uglifyjs `basename $*`.js --compress --mangle --comments='/Copyr/i' --source-map `basename $*`.min.js.map -o `basename $*`.min.js; \
else \
cd `dirname $*`; \
uglifyjs `basename $*`.js --compress --mangle --comments='/Copyr/i' --source-map -o `basename $*`.min.js; \
uglifyjs `basename $*`.js --compress --mangle --source-map -o `basename $*`.min.js; \
fi
fastcgi-server/man/llng-fastcgi-server.8p: fastcgi-server/sbin/llng-fastcgi-server

15
RELEASE
View File

@ -23,16 +23,9 @@ Before release
$ ./scripts/download_translations
- Update documentation:
$ ./scripts/parameters-for-wiki.pl >/tmp/prmlist.txt
Replace https://lemonldap-ng.org/documentation/X.X/parameterlist by
/tmp/prmlist.txt content
$ make documentation
$ ./scripts/parameters-for-doc.pl > doc/sources/admin/parameterlist.rst
- Update changelog:
$ ./scripts/generate-changelog.pl
This update "changelog" file using GitLab issues (tags Bug, New feature,
@ -56,10 +49,6 @@ For major release
- Go on gitlab and create a new tag: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/tags/new
- Change "latest" symlink in dokuwiki
- Edit scripts/doc.pl in trunk to point on the new documentation path
Make the distribution
---------------------
@ -89,7 +78,6 @@ Packages are in /tmp
Sign packages:
$ dpkg-sig -p --sign builder /tmp/*.deb
Upload the distribution
---------------------
@ -125,6 +113,7 @@ Site
- Update links on the download page
- Close the milestone on Gitlab and create a new one
- Update admin documentation and API documentation
Spread the word
---------------

5
_example/etc/test-nginx.conf
View File

@ -26,7 +26,7 @@ server {
# Keep original hostname
fastcgi_param HOST $http_host;
# Keep original request (LLNG server will receive /lmauth)
fastcgi_param X_ORIGINAL_URI $request_uri;
fastcgi_param X_ORIGINAL_URI $original_uri;
# Improve performances
#fastcgi_buffer_size 32k;
#fastcgi_buffers 32 32k;
@ -38,7 +38,7 @@ server {
#uwsgi_pass_request_body off;
#uwsgi_param CONTENT_LENGTH "";
#uwsgi_param HOST $http_host;
#uwsgi_param X_ORIGINAL_URI $request_uri;
#uwsgi_param X_ORIGINAL_URI $original_uri;
# Improve performances
#uwsgi_buffer_size 32k;
#uwsgi_buffers 32 32k;
@ -57,6 +57,7 @@ server {
##################################
# CALLING AUTHENTICATION #
##################################
set $original_uri $uri$is_args$args;
auth_request /lmauth;
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
auth_request_set $lmremote_custom $upstream_http_lm_remote_custom;

83
changelog
View File

@ -1,3 +1,86 @@
lemonldap-ng (2.0.9) stable; urgency=medium
* Bugs:
* #1659: RESTProxy doesn't fully work as a UserDB module
* #1980: Refresh my rights causes error 500 with OIDC provider
* #2190: 2.0.6 -> 2.0.8 sends "ARRAY (xxxx)" instead of Groups
* #2196: Unable do display integer field with other fields in Manager
* #2199: StayConnected plugin not working due to error in fingerprint javascript
* #2200: Bad default value for portalDisplayOidcConsents
* #2211: Setting yubikey verification URL to an empty value does not fallback to Yubikey_Webclient URL
* #2212: Captcha or OTT is not renewed if Impersonation process failed
* #2215: CheckUser idRule is checked only if session is computed
* #2217: Error "Value must be BASE64 encoded" with some specific URL when Handler redirects on portal
* #2221: Bad error message when conf backend fails to load
* #2222: Errors in lemonldap-ng.ini are not correctly reported
* #2223: Misleading error reporting when failing to save conf in lemonldap-ng-cli
* #2224: regression in redirection to SAML urls with query string after #2085
* #2229: Impersonation plugin: real_hGroup value is overwritten when specified groups are merged
* #2230: LLNG 2.0.8 - Error on portal.js with IE 11
* #2234: Prevent browser caching in sendJSONresponse
* #2237: SAML SP error with auth kerberos
* #2250: [CVE-2020-16093] Peer certificate not checked when using LDAPS
* #2253: clearing oidcRPMetaDataOptionsLogoutUrl leads to Bad URL error
* #2254: Local session cache and systemd PrivateTmp
* #2256: Multivalued attributes are not returned as array in OpenID Connect userinfo endpoint
* #2257: Missing country in OpenID Connect Address Claim
* #2258: Error when using lougout_app_sso
* #2261: Refresh my rights fails when Auth=SAML and UserDB=LDAP
* #2263: Incorrect SOAP Content-Type
* #2271: Labels are not working in auth form
* #2272: Secure flag missing on lemonldappdata cookie and during logout
* #2274: pdata cookie with SameSite value not equal to NONE is not removed and logout request leads to an internal server error with federate flow on SP side
* #2275: sgRequired option does not work when global storage is enabled for token
* #2287: LL:NG-provided lua-header snippet -> "writing a global lua variable ('i') which may lead to race conditions between concurrent requests"
* #2288: LL:NG 2.0.8 manager missing doc-referenced "Login History" tab
* #2289: Special chars password policy is not displayed if password is expired
* #2290: [security:high, CVE-2020-24660] Lack of URL normalization by Nginx may lead to authorization bypass when URL access rules are used
* #2296: skippedGlobalTests / skippedUnitTests have no effect (again)
* #2305: Error in call to _launch in Lemonldap::NG::Common::Conf delete() method
* #2306: ldapGroupDecodeSearchedValue does not apply to recursive group search
* #2307: Password form not displayed when "password change after reset" is returned by LDAP ppolicy and Combination used for authentication
* New features:
* #1646: integrate documentation into the codebase
* #2124: use 2FA only if and when needed
* #2205: Add a session command line (CLI) tool
* Improvements:
* #1598: Proxy Backend support for Password Module (passwordDB)
* #2188: Declare vhost with wildcard and prefix/suffix
* #2189: Make externally-provisionned yubikeys easier to configure
* #2193: Polish translation
* #2195: Manager - Configuration's Author IP address field should honor $ipAddr
* #2201: Avoid Portal to crash with bad GrantSession rule
* #2203: Retrieve GPG keys and SSH keys in GitHub authentication module
* #2207: Append an "Unrestricted users" rule to CheckUser, ContextSwitching and Impersonation plugins
* #2214: add option to make convertConfig easier in most cases
* #2225: REST ression server is too intolerant of clock drift (2)
* #2233: Error/Warnings id not replaced with CLI
* #2239: Mail reset token should not be deleted at first page access
* #2240: Add tests for CAS service URL and OIDC client ID (presence/unicity) when configuration is saved
* #2241: Add CAS App management to the manager API
* #2242: Display new supported grant_types in OIDC discovery page
* #2244: Use configuration key in user log messages for all Issuer modules
* #2249: Check password policy on the client side when changing password
* #2251: Add a parameter for Syslog options
* #2252: No host in logs to use with Fail2ban
* #2265: increase log level for mail sending and password reset
* #2273: URL is not set to Portal URL after ContextSwitching
* #2276: Using bruteForceProtectionIncrementalTempo lock user at first attempt
* #2278: Display instance name when prompting a message
* #2280: User attribute based on local macro in Openid rp
* #2281: Manage SameSite default behavior
* #2283: Improve Notifications explorer to display done notifications content
* #2284: Improve serviceToken debug logs
* #2292: request "do not minify" json config option
* #2295: Erroneous use of NTLM should be explicitely reported to the user
* #2299: healthcheck endpoint for manager API
* #2302: correct usage of invalid vs unvalid in code & messaging
* #2303: Add del method to lemonldap-ng-cli
-- Clément <clem.oudot@gmail.com> Sun, 06 Sep 2020 19:59:22 +0200
lemonldap-ng (2.0.8) stable; urgency=medium
* Bugs:

15
debian/NEWS vendored
View File

@ -1,3 +1,18 @@
lemonldap-ng (2.0.9-1) unstable; urgency=medium
This release fixes 2 CVE:
- CVE-2020-24660: Nginx configuration for Handler protected applications
must be updated if your virtual host configuration contains per-URL access
rules based on regular expressions in addition to the built-in default access rule.
- CVE-2020-16093: LDAP server certificates were previously not verified by default
when using secure transports (LDAPS or TLS). Starting from this release, certificate
validation is now enabled by default, including on existing installations. If
your SSL configuration is not valid, you can temporarily disable certificate
verification.
See upgrade notes in local documentation or on https://lemonldap-ng.org
-- Clement OUDOT <clement@oodo.net> Sun, 06 Sep 2020 22:00:00 +0100
lemonldap-ng (2.0.6-1) unstable; urgency=medium
FastCGI / uWsgi servers require llng-lmlog.conf and llng-lua-headers.conf.

7
debian/changelog vendored
View File

@ -1,3 +1,10 @@
lemonldap-ng (2.0.9-1) unstable; urgency=medium
* New release. See changes on our website:
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng
-- Clement OUDOT <clement@oodo.net> Sun, 06 Sep 2020 22:00:00 +0100
lemonldap-ng (2.0.8-1) unstable; urgency=medium
* New release. See changes on our website:

3
debian/control vendored
View File

@ -213,6 +213,7 @@ Depends: ${misc:Depends},
liburi-perl,
libwww-perl
Recommends: libapache-session-browseable-perl,
libemail-sender-perl (>=1.300027) | libemail-sender-transport-smtps-perl,
libcookie-baker-xs-perl,
libdbi-perl,
libhttp-parser-xs-perl,
@ -245,6 +246,7 @@ Depends: ${misc:Depends},
libconvert-pem-perl,
libregexp-common-perl,
libcrypt-openssl-rsa-perl,
libemail-date-format-perl,
liblemonldap-ng-handler-perl (= ${binary:Version}),
lemonldap-ng-fastcgi-server (= ${binary:Version}) | lemonldap-ng-uwsgi-app (= ${binary:Version}) | apache2 | httpd-cgi
Recommends: lemonldap-ng-doc (= ${binary:Version}),
@ -278,7 +280,6 @@ Depends: ${misc:Depends},
libemail-date-format-perl
Recommends: libcrypt-openssl-bignum-perl,
libconvert-base32-perl,
libemail-sender-perl (>=1.300027) | libemail-sender-transport-smtps-perl,
libio-string-perl,
libipc-run-perl,
libgd-securityimage-perl,

110
debian/copyright vendored
View File

@ -4,18 +4,22 @@ Upstream-Contact: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues
Source: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/tags?sort=updated_desc
Files: *
Copyright: 2005-2019, Xavier Guimard <yadd@debian.org>
2006-2019, Clement Oudot <clem.oudot@gmail.com>
Copyright: 2005-2020, Xavier Guimard <yadd@debian.org>
2006-2020, Clement Oudot <clem.oudot@gmail.com>
2008, Mikael Ates <mikael.ates@univ-st-etienne.fr>
2008-2011, Thomas Chemineau <thomas.chemineau@gmail.com>
2012-2013, Sandro Cazzaniga <cazzaniga.sandro@gmail.com>
2012-2015, François-Xavier Deltombe <fxdeltombe@gmail.com>
2012-2015, David Coutadeur <david.coutadeur@gmail.com>
2018-2019, Christophe Maudoux <chrmdx@gmail.com>
2005-2019, Gendarmerie nationale <https://www.gendarmerie.interieur.gouv.fr>
2006-2015, LINAGORA <info@linagora.com>
2012-2019, David Coutadeur <david.coutadeur@gmail.com>
2018-2020, Christophe Maudoux <chrmdx@gmail.com>
2019-2020, Maxime Besson <maxime.besson@worteks.com>
2019, Soisik Frogier <soisik.froger@worteks.com>
2019, Mame Dieynaba Sene <msene@linagora.com>
2019, Antoine Rosier <lemonldap@mon-refuge.fr>
2005-2020, Gendarmerie nationale <https://www.gendarmerie.interieur.gouv.fr>
2006-2019, LINAGORA <info@linagora.com>
2015-2018, Savoir-faire Linux <contact@savoirfairelinux.com>
2018-2019, Worteks <info@worteks.com>
2018-2020, Worteks <info@worteks.com>
License: GPL-2+
Files: lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/PAM.pm
@ -67,6 +71,10 @@ Copyright: https://www.customicondesign.com
License: CC-BY-NC-ND-3.0
Comment: Downloaded from https://www.iconspedia.com/
Files: lemonldap-ng-portal/site/htdocs/static/common/modules/Slave.png
Copyright: Antoine Rosier <antoine.rosier@mon-refuge.fr>
License: CC-3
Files: lemonldap-ng-portal/site/htdocs/static/common/modules/Twitter.png
Copyright: Paul Schulerr, https://schulerr.deviantart.com
License: CC-3
@ -88,6 +96,12 @@ Comment: downloaded from
.
Author is unknown and license may be W3C or public-domain
Files: lemonldap-ng-portal/site/htdocs/static/common/modules/GitHub.png
Copyright: GitHub
License: Expat
Comment: downloaded from
https://commons.wikimedia.org/wiki/File:Octicons-mark-github.svg
Files: lemonldap-ng-portal/site/htdocs/static/bootstrap/u2f.png
Copyright: Bautsch <https://commons.wikimedia.org/wiki/User:Bautsch>
License: CC0-1.0
@ -99,12 +113,39 @@ License: CC-3
Comment: This work, "sfa_manager.png", is a derivative of
"Noun project 1162.svg" by Christopher T. Howlett, under CC-BY-3.0.
Files: lemonldap-ng-portal/site/htdocs/static/common/icons/notifsExplorer.png
Copyright: Various artists
License: CC-BY-NC-ND-3.0 or GFDL-1.3
Comment: downloaded from https://commons.wikimedia.org
Files: lemonldap-ng-portal/site/htdocs/static/common/icons/decryptValue.png
Copyright: Christophe Maudoux <chrmdx@gmail.com>
License: CC-3
Comment: This work, "decryptValue.png", is a derivative of
"secure.png" by Austin Condiff, under CC-BY-3.0.
Files: lemonldap-ng-portal/site/htdocs/static/common/icons/switchcontext_OFF.png
Copyright: Christophe Maudoux <chrmdx@gmail.com>
License: CC-BY-4.0
Comment: This work, "switchcontext_OFF.png", is a derivative of
"Theater-Masken - Silhouetten und kontur vektoren" by Natasha Sinegina, under CC-BY-4.0.
Files: lemonldap-ng-portal/site/htdocs/static/common/icons/switchcontext_ON.png
Copyright: Christophe Maudoux <chrmdx@gmail.com>
License: CC-BY-4.0
Comment: This work, "switchcontext_ON.png", is a derivative of
"Theater-Masken - Silhouetten und kontur vektoren" by Natasha Sinegina, under CC-BY-4.0.
Files: lemonldap-ng-portal/site/htdocs/static/common/modules/CustomAuth.png
Copyright: Christophe Maudoux <chrmdx@gmail.com>
License: CC-3
Comment: This work, "CustomAuth.png", is a derivative of
"Noun project 1162.svg" by Christopher T. Howlett, under CC-BY-3.0.
Files: lemonldap-ng-portal/site/htdocs/static/common/fonts/password.ttf
Copyright: 2007, the Tap2Play Team, https://git.tap2play.org.au/tap2play/web/tree/dev/fonts
License: Expat
Files: lemonldap-ng-portal/site/htdocs/static/common/backgrounds/*
Copyright: Various artists
License: CC-BY-NC-ND-3.0 or GFDL-1.3
@ -189,22 +230,17 @@ Copyright: 2014-2015, Google Inc.
License: BSD-3-clause
Files: lemonldap-ng-portal/site/htdocs/static/common/apps/*
doc/pages/documentation/current/icons/*
doc/sources/admin/icons/*
Copyright: 2006-2007 Everaldo Coelho, Crystal Project
License: LGPL-3
Files: doc/pages/documentation/current/lib/images/*
Copyright: 2004-2012 Andreas Gohr <andi@splitbrain.org>
and the DokuWiki Community
License: GPL-2
Files: doc/pages/documentation/current/documentation/lasso*.png
Files: doc/sources/admin/documentation/lasso.png
Copyright: 2004, Entr'ouvert <https://www.entrouvert.com/>
2004, Florent Monnier
License: GPL-2+
Files: debian/*
Copyright: 2005-2019, Xavier Guimard <yadd@debian.org>
Copyright: 2005-2020, Xavier Guimard <yadd@debian.org>
License: GPL-2+
License: Apache-2.0
@ -690,7 +726,7 @@ License: CC-BY-NC-ND-3.0
title of the Work if supplied; (iii) to the extent reasonably
practicable, the URI, if any, that Licensor specifies to be associated
with the Work, unless such URI does not refer to the copyright notice or
licensing information for the Work. The credit required by this Section
licensing information for the Work. The credit required by this Section
(c) may be implemented in any reasonable manner; provided, however, that
in the case of a Collection, at a minimum such credit will appear, if a
credit for all contributing authors of Collection appears, then as part
@ -899,27 +935,27 @@ License: CC-BY-4.0
.
Attribution.
.
If You Share the Licensed Material (including in modified form), You
must: retain the following if it is supplied by the Licensor with the
Licensed Material: identification of the creator(s) of the Licensed
Material and any others designated to receive attribution, in any
reasonable manner requested by the Licensor (including by pseudonym if
designated); a copyright notice; a notice that refers to this Public
License; a notice that refers to the disclaimer of warranties; a URI or
hyperlink to the Licensed Material to the extent reasonably practicable;
indicate if You modified the Licensed Material and retain an indication
of any previous modifications; and indicate the Licensed Material is
licensed under this Public License, and include the text of, or the URI
or hyperlink to, this Public License. You may satisfy the conditions in
Section 3(a)(1) in any reasonable manner based on the medium, means, and
context in which You Share the Licensed Material. For example, it may be
reasonable to satisfy the conditions by providing a URI or hyperlink to
a resource that includes the required information. If requested by the
Licensor, You must remove any of the information required by Section
3(a)(1)(A) to the extent reasonably practicable. If You Share Adapted
Material You produce, the Adapter's License You apply must not prevent
recipients of the Adapted Material from complying with this Public
License.
If You Share the Licensed Material (including in modified form), You
must: retain the following if it is supplied by the Licensor with the
Licensed Material: identification of the creator(s) of the Licensed
Material and any others designated to receive attribution, in any
reasonable manner requested by the Licensor (including by pseudonym if
designated); a copyright notice; a notice that refers to this Public
License; a notice that refers to the disclaimer of warranties; a URI or
hyperlink to the Licensed Material to the extent reasonably practicable;
indicate if You modified the Licensed Material and retain an indication
of any previous modifications; and indicate the Licensed Material is
licensed under this Public License, and include the text of, or the URI
or hyperlink to, this Public License. You may satisfy the conditions in
Section 3(a)(1) in any reasonable manner based on the medium, means, and
context in which You Share the Licensed Material. For example, it may be
reasonable to satisfy the conditions by providing a URI or hyperlink to
a resource that includes the required information. If requested by the
Licensor, You must remove any of the information required by Section
3(a)(1)(A) to the extent reasonably practicable. If You Share Adapted
Material You produce, the Adapter's License You apply must not prevent
recipients of the Adapted Material from complying with this Public
License.
.
Section 4 Sui Generis Database Rights.
.

6
doc/pages/manager-api/index.html
View File

@ -868,6 +868,9 @@
"allowOffline" : {
"type" : "boolean"
},
"authnLevel" : {
"type" : "integer"
},
"rule" : {
"type" : "string"
},
@ -1057,6 +1060,9 @@
"type" : "integer",
"default" : 72000
},
"authnLevel" : {
"type" : "integer"
},
"rule" : {
"type" : "string"
},

3
doc/sources/admin/applications/bugzilla.rst
View File

@ -70,12 +70,13 @@ Configure Bugzilla virtual host like other
# Keep original hostname
fastcgi_param HOST $http_host;
# Keep original request (LLNG server will received /llauth)
fastcgi_param X_ORIGINAL_URI $request_uri;
fastcgi_param X_ORIGINAL_URI $original_uri;
}
# Client requests
location / {
auth_request /lmauth;
set $original_uri $uri$is_args$args;
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
auth_request_set $lmlocation $upstream_http_location;
error_page 401 $lmlocation;

3
doc/sources/admin/applications/dokuwiki.rst
View File

@ -75,12 +75,13 @@ Configure Dokuwiki virtual host like other
# Keep original hostname
fastcgi_param HOST $http_host;
# Keep original request (LLNG server will received /llauth)
fastcgi_param X_ORIGINAL_URI $request_uri;
fastcgi_param X_ORIGINAL_URI $original_uri;
}
# Client requests
location / {
auth_request /lmauth;
set $original_uri $uri$is_args$args;
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
auth_request_set $lmlocation $upstream_http_location;
error_page 401 $lmlocation;

3
doc/sources/admin/applications/drupal.rst
View File

@ -72,12 +72,13 @@ Configure Drupal virtual host like other
# Keep original hostname
fastcgi_param HOST $http_host;
# Keep original request (LLNG server will received /llauth)
fastcgi_param X_ORIGINAL_URI $request_uri;
fastcgi_param X_ORIGINAL_URI $original_uri;
}
# Client requests
location / {
auth_request /lmauth;
set $original_uri $uri$is_args$args;
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
auth_request_set $lmlocation $upstream_http_location;
error_page 401 $lmlocation;

3
doc/sources/admin/applications/jitsimeet.rst
View File

@ -69,7 +69,7 @@ configuration file:
fastcgi_pass_request_body off;
fastcgi_param CONTENT_LENGTH "";
fastcgi_param HOST $http_host;
fastcgi_param X_ORIGINAL_URI $request_uri;
fastcgi_param X_ORIGINAL_URI $original_uri;
}
# Protect only the /login/ URL
@ -78,6 +78,7 @@ configuration file:
# Protect the current path with LLNG
auth_request /lmauth;
set $original_uri $uri$is_args$args;
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
auth_request_set $lmlocation $upstream_http_location;
error_page 401 $lmlocation;

3
doc/sources/admin/applications/liferay.rst
View File

@ -130,12 +130,13 @@ Configure Liferay virtual host like other
# Keep original hostname
fastcgi_param HOST $http_host;
# Keep original request (LLNG server will received /llauth)
fastcgi_param X_ORIGINAL_URI $request_uri;
fastcgi_param X_ORIGINAL_URI $original_uri;
}
# Client requests
location / {
auth_request /lmauth;
set $original_uri $uri$is_args$args;
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
auth_request_set $lmlocation $upstream_http_location;
error_page 401 $lmlocation;

3
doc/sources/admin/applications/mediawiki.rst
View File

@ -159,12 +159,13 @@ Configure MediaWiki virtual host like other
# Keep original hostname
fastcgi_param HOST $http_host;
# Keep original request (LLNG server will received /llauth)
fastcgi_param X_ORIGINAL_URI $request_uri;
fastcgi_param X_ORIGINAL_URI $original_uri;
}
# Client requests
location / {
auth_request /lmauth;
set $original_uri $uri$is_args$args;
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
auth_request_set $lmlocation $upstream_http_location;
error_page 401 $lmlocation;

3
doc/sources/admin/applications/obm.rst
View File

@ -152,12 +152,13 @@ Edit also OBM configuration to enable LL::NG Handler:
# Keep original hostname
fastcgi_param HOST $http_host;
# Keep original request (LLNG server will received /llauth)
fastcgi_param X_ORIGINAL_URI $request_uri;
fastcgi_param X_ORIGINAL_URI $original_uri;
}
# Client requests
location ~ \.php$ {
auth_request /lmauth;
set $original_uri $uri$is_args$args;
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
auth_request_set $lmlocation $upstream_http_location;
error_page 401 $lmlocation;

3
doc/sources/admin/applications/phpldapadmin.rst
View File

@ -74,12 +74,13 @@ Configure phpLDAPadmin virtual host like other
# Keep original hostname
fastcgi_param HOST $http_host;
# Keep original request (LLNG server will received /llauth)
fastcgi_param X_ORIGINAL_URI $request_uri;
fastcgi_param X_ORIGINAL_URI $original_uri;
}
# Client requests
location / {
auth_request /lmauth;
set $original_uri $uri$is_args$args;
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
auth_request_set $lmlocation $upstream_http_location;
error_page 401 $lmlocation;

3
doc/sources/admin/applications/sympa.rst
View File

@ -102,12 +102,13 @@ authentication URL.
# Keep original hostname
fastcgi_param HOST $http_host;
# Keep original request (LLNG server will received /llauth)
fastcgi_param X_ORIGINAL_URI $request_uri;
fastcgi_param X_ORIGINAL_URI $original_uri;
}
# Client requests
location /wws/sso_login/lemonldapng {
auth_request /lmauth;
set $original_uri $uri$is_args$args;
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
auth_request_set $lmlocation $upstream_http_location;
error_page 401 $lmlocation;

13
doc/sources/admin/authldap.rst
View File

@ -82,8 +82,11 @@ Connection
``ldap+tls://server/verify=none&capath=/etc/ssl``. You can
also use cafile and capath parameters.
- **Server port**: TCP port used by LDAP server. Can be overridden by
an LDAP URI in server host.
- **Server port**: TCP port used by LDAP server if different from the standard
ports. Can also be specified in the server host URI.
- **Verify LDAP server certificate**: It is highly recommended to verify the
identity of the remote server. This setting is only enforced for LDAPS or
TLS connections.
- **Users search base**: Base of search in the LDAP directory.
- **Account**: DN used to connect to LDAP server. By default, anonymous
bind is used.
@ -95,6 +98,12 @@ Connection
(see
`Net::LDAP <http://search.cpan.org/~gbarr/perl-ldap/lib/Net/LDAP.pod>`__
documentation).
- **CA file path**: This allows you to override the default system-wide
certificate authorities by giving a single file containing the CA used by the
LDAP server.
- **CA directory path**: This allows you to override the default system-wide
certificate authorities by giving the path of a directory containing your
trusted certificates.
.. attention::

23
doc/sources/admin/browseablesessionbackend.rst
View File

@ -23,16 +23,16 @@ and password reset self-service, you also need to index some fields.
The following table list fields to index depending on the feature you
want to increase performance:
====================================== ===================================================================
Feature Fields to index
====================================== ===================================================================
Database cleanup *(cron)* \_session_kind \_utime
Session explorer \_session_kind ipAddr \_httpSessionType *WHATTOTRACE*
Session explorer (persistent sessions) \_session_kind \_session_uid ipAddr \_httpSessionType *WHATTOTRACE*
Session restrictions \_session_kind ipAddr *WHATTOTRACE*
Password reset by email user
SAML Session \_saml_id
====================================== ===================================================================
====================================== ============= ===================================================================
Feature Session Type Fields to index
====================================== ============= ===================================================================
Database cleanup *(cron)* All \_session_kind \_utime
Session explorer Global \_session_kind ipAddr \_httpSessionType *WHATTOTRACE*
Session explorer Persistent \_session_kind \_session_uid ipAddr \_httpSessionType *WHATTOTRACE*
Session restrictions Global \_session_kind ipAddr *WHATTOTRACE*
Password reset by email Global user
SAML Session SAML \_saml_id ProxyID \_nameID \_assert_id \_art_id
====================================== ============= ===================================================================
See Apache::Session::Browseable man page to see how use indexes.
@ -198,6 +198,9 @@ Name Comment Default value
**ldapAttributeId** Attribute storing session ID cn
**ldapAttributeContent** Attribute storing session content description
**ldapAttributeIndex** Attribute storing index ou
**ldapVerify** Perform certificate validation require (use none to disable)
**ldapCAFile** Path of CA file bundle (system CA bundle)
**ldapCAPath** Perform CA directory (system CA bundle)
======================== ================================= ===============================
Security

14
doc/sources/admin/checkuser.rst
View File

@ -23,12 +23,14 @@ Just enable it in the manager (section “plugins”).
for searching sessions in backend if ``whatToTrace`` fails. Useful
to look for sessions by mail or givenName. Let it blank to search
by ``whatToTrace`` only.
- **Display empty headers**: Rule to display ALL headers appended by
LemonLDAP::NG including empty ones
- **Display empty value**: Rule to display ALL attributes even empty
ones
- **Display persistent session**: Rule to display persistent session
attributes
- **Display computed sessions**: Rule to define which users can display a
computed session if no SSO session is found
- **Display empty headers**: Rule to define which users can display ALL headers
appended by LemonLDAP::NG including empty ones
- **Display empty values**: Rule to define which users can display ALL attributes
even empty ones
- **Display persistent session data**: Rule to define which users can display
persistent session data
.. note::

3
doc/sources/admin/configlocation.rst
View File

@ -483,12 +483,13 @@ included file):
fastcgi_pass_request_body off;
fastcgi_param CONTENT_LENGTH "";
fastcgi_param HOST $http_host;
fastcgi_param X_ORIGINAL_URI $request_uri;
fastcgi_param X_ORIGINAL_URI $original_uri;
}
# Client requests
location / {
auth_request /lmauth;
set $original_uri $uri$is_args$args;
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
auth_request_set $lmlocation $upstream_http_location;
error_page 401 $lmlocation;

18
doc/sources/admin/configvhost.rst
View File

@ -147,7 +147,7 @@ Then you can take any virtual host and modify it:
fastcgi_param HOST $http_host;
# Keep original request (LLNG server will receive /lmauth)
fastcgi_param X_ORIGINAL_URI $request_uri;
fastcgi_param X_ORIGINAL_URI $original_uri;
}
- Protect the application (/ or /path/to/protect):
@ -156,6 +156,7 @@ Then you can take any virtual host and modify it:
location /path/to/protect {
auth_request /lmauth;
set $original_uri $uri$is_args$args;
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
auth_request_set $lmlocation $upstream_http_location;
auth_request_set $cookie_value $upstream_http_set_cookie;
@ -220,12 +221,13 @@ Example of a protected virtual host for a local application:
# Keep original hostname
fastcgi_param HOST $http_host;
# Keep original request (LLNG server will receive /lmauth)
fastcgi_param X_ORIGINAL_URI $request_uri;
fastcgi_param X_ORIGINAL_URI $original_uri;
}
# Client requests
location ~ \.php$ {
auth_request /lmauth;
set $original_uri $uri$is_args$args;
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
auth_request_set $lmlocation $upstream_http_location;
error_page 401 $lmlocation;
@ -280,12 +282,13 @@ Reverse proxy
# Keep original hostname
fastcgi_param HOST $http_host;
# Keep original request (LLNG server will receive /lmauth)
fastcgi_param X_ORIGINAL_URI $request_uri;
fastcgi_param X_ORIGINAL_URI $original_uri;
}
# Client requests
location / {
auth_request /lmauth;
set $original_uri $uri$is_args$args;
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
auth_request_set $lmlocation $upstream_http_location;
error_page 401 $lmlocation;
@ -327,7 +330,7 @@ by different types of handler :
uwsgi_pass_request_body off;
uwsgi_param CONTENT_LENGTH "";
uwsgi_param HOST $http_host;
uwsgi_param X_ORIGINAL_URI $request_uri;
uwsgi_param X_ORIGINAL_URI $original_uri;
# Improve performances
uwsgi_buffer_size 32k;
uwsgi_buffers 32 32k;
@ -342,7 +345,7 @@ by different types of handler :
uwsgi_pass_request_body off;
uwsgi_param CONTENT_LENGTH "";
uwsgi_param HOST $http_host;
uwsgi_param X_ORIGINAL_URI $request_uri;
uwsgi_param X_ORIGINAL_URI $original_uri;
uwsgi_param VHOSTTYPE AuthBasic;
# Improve performances
uwsgi_buffer_size 32k;
@ -358,7 +361,7 @@ by different types of handler :
uwsgi_pass_request_body off;
uwsgi_param CONTENT_LENGTH "";
uwsgi_param HOST $http_host;
uwsgi_param X_ORIGINAL_URI $request_uri;
uwsgi_param X_ORIGINAL_URI $original_uri;
uwsgi_param VHOSTTYPE ServiceToken;
# Improve performances
uwsgi_buffer_size 32k;
@ -371,6 +374,7 @@ by different types of handler :
# CALLING AUTHENTICATION #
##################################
auth_request /lmauth;
set $original_uri $uri$is_args$args;
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
auth_request_set $lmremote_custom $upstream_http_lm_remote_custom;
auth_request_set $lmlocation $upstream_http_location;
@ -389,6 +393,7 @@ by different types of handler :
# CALLING AUTHENTICATION #
##################################
auth_request /lmauth-basic;
set $original_uri $uri$is_args$args;
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
auth_request_set $lmremote_custom $upstream_http_lm_remote_custom;
auth_request_set $lmlocation $upstream_http_location;
@ -407,6 +412,7 @@ by different types of handler :
# CALLING AUTHENTICATION #
##################################
auth_request /lmauth-service;
set $original_uri $uri$is_args$args;
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
auth_request_set $lmlocation $upstream_http_location;
# Remove this for AuthBasic handler

2
doc/sources/admin/idpcas.rst
View File

@ -109,6 +109,8 @@ Options
application.
- **User attribute** : session field that will be used as main
identifier.
- **Authentication Level** : required authentication level to access this
application
- **Rule** : The access control rule to enforce on this application. If
left blank, access will be allowed for everyone.

3
doc/sources/admin/idpopenidconnect.rst
View File

@ -268,7 +268,8 @@ Options
https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess
for details. These offline sessions can be administered through
the Session Browser.
- **Allow OAuth2.0 Password Grant** (since version ``2.0.8``) Allow the use of the Resource Owner Password Credentials Grant on by this client. This feature only works if you have configured a form-based authentication module.
- **Allow OAuth2.0 Password Grant** (since version ``2.0.8``): Allow the use of the Resource Owner Password Credentials Grant on by this client. This feature only works if you have configured a form-based authentication module.
- **Authentication Level**: required authentication level to access this application
- **Access Rule**: lets you specify a :doc:`Perl rule<rules_examples>` to restrict access to this client
- **Logout**

4
doc/sources/admin/idpsaml.rst
View File

@ -162,10 +162,12 @@ These options override service signature options (see
Security
''''''''
- **Encryption mode**: set the encryption mode for this IDP (None,
- **Encryption mode**: set the encryption mode for this SP (None,
NameID or Assertion).
- **Enable use of IDP initiated URL**: set to ``On`` to enable IDP
Initiated URL on this SP.
- **Authentication Level**: required authentication level to access this SP
- **Access Rule**: lets you specify a :doc:`Perl rule<rules_examples>` to restrict access to this SP
.. tip::

8
doc/sources/admin/ldapconfbackend.rst
View File

@ -89,6 +89,14 @@ Parameters:
- **ldapAttributeId**: RDN attribute of configuration entry (optional)
- **ldapAttributeContent**: attribute used to store configuration
values, must be multivalued (optional)
- **ldapVerify**: When using a LDAPS or TLS server, whether or not to validate the server certificate. Possible values: ``require``, ``optional`` or ``none``.
- **ldapCAFile**: This allows you to override the default system-wide
certificate authorities by giving a single file containing the CA used by the
LDAP server.
- **ldapCAPath**: This allows you to override the default system-wide
certificate authorities by giving the path of a directory containing your
trusted certificates.
.. |image0| image:: /documentation/configuration-ldap.png
:class: align-center

3
doc/sources/admin/ldapsessionbackend.rst
View File

@ -54,6 +54,9 @@ Name Comment Default value
**ldapObjectClass** Objectclass of the entry applicationProcess
**ldapAttributeId** Attribute storing session ID cn
**ldapAttributeContent** Attribute storing session content description
**ldapVerify** Perform certificate validation require (use none to disable)
**ldapCAFile** Path of CA file bundle (system CA bundle)
**ldapCAPath** Perform CA directory (system CA bundle)
======================== ================================= ===============================
Security

26
doc/sources/admin/logs.rst
View File

@ -61,52 +61,58 @@ Authentication:
::
[notice] Session granted for clement.oudot by LDAP (81.20.13.21)
[notice] User clement.oudot.com successfully authenticated at level 2
[notice] clement.oudot connected
[notice] Session granted for dwho by LDAP (81.20.13.21)
[notice] User dwho.com successfully authenticated at level 2
[notice] dwho connected
Failed authentication:
::
[warn] foo.bar was not found in LDAP directory (81.20.13.21)
[warn] Bad password for clement.oudot (81.20.13.21)
[warn] Bad password for dwho (81.20.13.21)
Failed authentication with Combination module:
::
[warn] All schemes failed for user dwho (81.20.13.21)
Logout:
::
[notice] User clement.oudot has been disconnected from LDAP (81.20.13.21)
[notice] User dwho has been disconnected from LDAP (81.20.13.21)
Access to a CAS application non registered in configuration (when CAS server is open):
::
[notice] User clement.oudot is redirected to https://cas.service.url
[notice] User dwho is redirected to https://cas.service.url
Access to a CAS application whose configuration key is ``app-example``:
::
[notice] User clement.oudot is authorized to access to app-example
[notice] User dwho is authorized to access to app-example
Access to an SAML SP whose configuration key is ``sp-example``:
::
[notice] User clement.oudot is authorized to access to sp-example
[notice] User dwho is authorized to access to sp-example
Access to an OIDC RP whose configuration key is ``rp-example``:
::
[notice] User clement.oudot is authorized to access to rp-example
[notice] User dwho is authorized to access to rp-example
Access to a Get application whose vhost configuration key is ``host.example.com``:
::
[notice] User clement.oudot is authorized to access to host.example.com
[notice] User dwho is authorized to access to host.example.com
Default loggers

3
doc/sources/admin/nodehandler.rst
View File

@ -69,12 +69,13 @@ Nginx configuration
fastcgi_param HOST $http_host;
# Keep original request (LLNG server will receive /lmauth)
fastcgi_param X_ORIGINAL_URI $request_uri;
fastcgi_param X_ORIGINAL_URI $original_uri;
}
# Client requests
location / {
auth_request /lmauth;
set $original_uri $uri$is_args$args;
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
auth_request_set $lmlocation $upstream_http_location;
error_page 401 $lmlocation;

23
doc/sources/admin/parameterlist.rst
View File

@ -12,8 +12,6 @@ Parameter list
Main parameters
---------------
<sortable 1>
======================================================= ==================================================================================== ====== ======= ======= =============
Key name Documentation Portal Handler Manager ini file only
======================================================= ==================================================================================== ====== ======= ======= =============
@ -43,11 +41,11 @@ available2FSelfRegistration Available self-registrat
browsersDontStorePassword Avoid browsers to store users password ✔
bruteForceProtection Enable brute force attack protection ✔
bruteForceProtectionIncrementalTempo Enable incremental lock time for brute force attack protection ✔
bruteForceProtectionLockTimes Incremental lock time values for brute force attack protection ✔
bruteForceProtectionLockTimes Incremental lock time values for brute force attack protection ✔
bruteForceProtectionMaxAge Brute force attack protection -> Max age between last and first allowed failed login ✔ ✔
bruteForceProtectionMaxFailed Brute force attack protection -> Max allowed failed login ✔
bruteForceProtectionMaxFailed Brute force attack protection -> Max allowed failed login ✔
bruteForceProtectionMaxLockTime Brute force attack protection -> Max lock time ✔ ✔
bruteForceProtectionTempo Brute force attack protection -> Tempo before try again ✔
bruteForceProtectionTempo Brute force attack protection -> Tempo before try again ✔
captcha_login_enabled Captcha on login page ✔
captcha_mail_enabled Captcha on password reset page ✔
captcha_register_enabled Captcha on account creation page ✔
@ -85,6 +83,7 @@ checkUserDisplayPersistentInfo Display persistent sessi
checkUserHiddenAttributes Attributes to hide in CheckUser plugin ✔
checkUserIdRule checkUser identities rule ✔
checkUserSearchAttributes Attributes used for retrieving sessions in user DataBase ✔
checkUserUnrestrictedUsersRule checkUser unrestricted users rule ✔
checkXSS Check XSS ✔
combModules Combination module description ✔
combination Combination rule ✔
@ -95,6 +94,7 @@ contextSwitchingIdRule Context switching identi
contextSwitchingPrefix Prefix to store real session Id ✔ ✔
contextSwitchingRule Context switching activation rule ✔
contextSwitchingStopWithLogout Stop context switching by logout ✔
contextSwitchingUnrestrictedUsersRule Context switching unrestricted users rule ✔
cookieExpiration Cookie expiration ✔ ✔
cookieName Name of the main cookie ✔ ✔
corsAllow_Credentials Allow credentials for Cross-Origin Resource Sharing ✔
@ -190,6 +190,7 @@ impersonationMergeSSOgroups Merge spoofed and real S
impersonationPrefix Prefix to rename real session attributes ✔ ✔
impersonationRule Impersonation activation rule ✔
impersonationSkipEmptyValues Skip session empty values ✔
impersonationUnrestrictedUsersRule Impersonation unrestricted users rule ✔
infoFormMethod HTTP method for info page form ✔
issuerDBCASActivation CAS server activation ✔
issuerDBCASPath CAS server request path ✔
@ -217,6 +218,8 @@ krbRemoveDomain Remove domain in Kerbero
ldapAllowResetExpiredPassword Allow a user to reset his expired password ✔
ldapAuthnLevel LDAP authentication level ✔
ldapBase LDAP search base ✔
ldapCAFile Location of the certificate file for LDAP connections ✔
ldapCAPath Location of the CA directory for LDAP connections ✔
ldapChangePasswordAsUser ✔
ldapExportedVars LDAP exported variables ✔
ldapGroupAttributeName LDAP attribute name for member in groups ✔
@ -234,11 +237,12 @@ ldapPort LDAP port
ldapPpolicyControl ✔
ldapPwdEnc LDAP password encoding ✔
ldapRaw ✔
ldapSearchDeref "deref" param of Net::LDAP::search () ✔
ldapSearchDeref "deref" param of Net::LDAP::search()
ldapServer LDAP server (host or URI) ✔
ldapSetPassword ✔
ldapTimeout LDAP connection timeout ✔
ldapUsePasswordResetAttribute LDAP store reset flag in an attribute ✔
ldapVerify Whether to validate LDAP certificates ✔
ldapVersion LDAP protocol version ✔
linkedInAuthnLevel LinkedIn authentication level ✔
linkedInClientID ✔
@ -434,11 +438,13 @@ rest2fLabel Portal label for REST se
rest2fLogo Custom logo for REST 2F ✔
rest2fVerifyArgs Args for REST 2F init ✔
rest2fVerifyUrl REST 2F init URL ✔
restAuthServer Enable REST authentication server ✔
restAuthUrl ✔
restAuthnLevel REST authentication level ✔
restClockTolerance How tolerant the REST session server will be to clock dift ✔
restConfigServer Enable REST config server ✔
restExportSecretKeys Allow to export secret keys in REST session server ✔
restPasswordServer Enable REST password reset server ✔
restPwdConfirmUrl ✔
restPwdModifyUrl ✔
restSessionServer Enable REST session server ✔
@ -509,6 +515,7 @@ sessionDataToRemember Data to remember in logi
sfEngine Second factor engine ✔ ✔
sfExtra Extra second factors ✔
sfManagerRule Rule to display second factor Manager link ✔
sfOnlyUpgrade Only trigger second factor on session upgrade ✔
sfRemovedMsgRule Display a message if at leat one expired SF has been removed ✔
sfRemovedNotifMsg Notification message ✔
sfRemovedNotifRef Notification reference ✔
@ -520,6 +527,7 @@ singleIP Allow only one session p
singleSession Allow only one session per user ✔
singleUserByIP Allow only one user per IP ✔
skipRenewConfirmation Avoid asking confirmation when an Issuer asks to renew auth ✔
skipUpgradeConfirmation Avoid asking confirmation during a session upgrade ✔
slaveAuthnLevel Slave authentication level ✔
slaveDisplayLogo Display Slave authentication logo ✔
slaveExportedVars Slave exported variables ✔
@ -593,6 +601,7 @@ wsdlServer Enable /portal.wsdl serv
yubikey2fActivation Yubikey second factor activation ✔
yubikey2fAuthnLevel Authentication level for users authentified by Yubikey second factor ✔
yubikey2fClientID Yubico client ID ✔
yubikey2fFromSessionAttribute Provision yubikey from the given session variable ✔
yubikey2fLabel Portal label for Yubikey second factor ✔
yubikey2fLogo Custom logo for Yubikey 2F ✔
yubikey2fNonce Yubico nonce ✔
@ -609,8 +618,6 @@ zimbraSsoUrl Zimbra local SSO URL pat
zimbraUrl Zimbra preauthentication URL ✔ ✔
======================================================= ==================================================================================== ====== ======= ======= =============
</sortable>
*[1]: complex nodes*
Configuration backend parameters

2
doc/sources/admin/rules_examples.rst
View File

@ -18,7 +18,7 @@ attribute you see there can be used in a rule!
$uid eq "dwho"
$uidNumber == 1000
$cn eq "Doctor Who"
$email eq "dwho@tardis.info"
$email eq "dwho@badwolf.org"
etc.

47
doc/sources/admin/secondfactor.rst
View File

@ -29,22 +29,44 @@ The E-Mail, External and REST 2F modules
parameters.
.. tip::
Registration on first use
-------------------------
If you want to force a 2F registration on first login, you can
use 'Require 2FA'. You can also use a rule to force 2FA registration
only for some users.
.. tip::
If you want to force a 2F registration on first login, you can use the *Force
2FA registration at login* option.
You can display a message if an
expired second factor has been removed by enabling 'Display a message if
an expired SF is removed' option or setting a rule.
You can use a `rule<writingrulesand_headers>` to enable this behavior only for
some users.
.. tip::
Second factor expiration
------------------------
Link to second factor Manager is automatically display if at least a
SFA module is enabled. You can set a rule to display or not the
link.
You can display a message if an expired second factor has been removed by
enabling *Display a message if an expired SF is removed* option or setting a
rule.
Self-care on Portal
-------------------
User may register second facrots themselves on the Portal by using the 2FA Manager.
The link will be displayed if at least a SFA module is enabled. You can set a
rule to display or not the link.
Session upgrade through 2FA
---------------------------
|beta|
If you enable the *Use 2FA for session upgrade* option, second factor will only
be asked on login if the target application requires an authentication level
that is strictly higher than the one obtained by the Authentication backend
(first factor).
The session upgrade mechanism will only require the second factor step, instead
of doing a complete reauthentication.
.. |beta| image:: /documentation/beta.png
Providing tokens from an external source
----------------------------------------
@ -100,4 +122,3 @@ To enable manager Second Factor Administration Module, set
[portal]
enabledModules = conf, sessions, notifications, 2ndFA

35
doc/sources/admin/smtp.rst
View File

@ -4,27 +4,31 @@ SMTP server setup
Go in ``General Parameters`` > ``Advanced Parameters`` > ``SMTP``:
* **Session key containing mail address**: choose which session field contains mail address
* **Session key containing mail address**: choose which session field contains
mail address
* **SMTP Server**: IP or hostname of the SMTP server
* **SMTP Port**: Port of the SMTP server
* **SMTP User**: SMTP user if authentication is required
* **SMTP Password**: SMTP password if authentication is required
* **SSL/TLS protocol** and **SSL/TLS options**: Here you can enable SMTPS or startTLS
* **SSL/TLS protocol** and **SSL/TLS options**: Here you can enable SMTPS or
startTLS. A list of possible options can be found in the `IO::Socket::SSL
documentation <https://metacpan.org/pod/IO::Socket::SSL>`__.
.. tip::
- If no SMTP server is configured, the mail will be sent via the local
sendmail program. Else, Net::SMTP module is required to use the SMTP
server
- The SMTP server value can hold the port, for example:
``mail.example.com:25``
- If authentication is configured, ``Authen::SASL`` and
``MIME::Base64`` modules are required
.. warning::
- Older versions of the Email::Sender library have limitations when it comes
to SMTPS or STARTTLS support. Versions lower than 1.300027 will not be
able to check the remote server certificate or use custom IO::Socket::SSL
options.
- **Mail headers**:
@ -33,3 +37,22 @@ Go in ``General Parameters`` > ``Advanced Parameters`` > ``SMTP``:
- **Reply address**: address seen in the "Reply-To" field
- **charset**: Charset used for the body of the mail (default:
utf-8)
Testing your email setup
------------------------
.. versionadded:: 2.0.10
You can test your email setup in the ``General Parameters`` > ``Advanced
Parameters`` > ``SMTP`` page by using the ``Send test email`` button in the
manager.
.. tip::
You need to save your SMTP configuration before you can test it
.. versionadded:: 2.0.10
You can also test your email setup using the ``test-email`` command in the CLI ::
lemonldap-ng-cli test-email dwho@badwolf.org

6
doc/sources/admin/ssoaas.rst
View File

@ -75,7 +75,7 @@ request authorization from a central FastCGI server:
# Keep original hostname
fastcgi_param HOST $http_host;
# Keep original request (LLNG server will received /lmauth)
fastcgi_param X_ORIGINAL_URI $request_uri;
fastcgi_param X_ORIGINAL_URI $original_uri;
# Set dynamically rules (LLNG will poll it every 10 mn)
fastcgi_param RULES_URL http://rulesserver/my.json
@ -87,6 +87,7 @@ request authorization from a central FastCGI server:
}
location ~ ^(.*\.php)$ {
auth_request /lmauth;
set $original_uri $uri$is_args$args;
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
auth_request_set $lmlocation $upstream_http_location;
error_page 401 $lmlocation;
@ -232,7 +233,7 @@ directory.
# Keep original hostname
fastcgi_param HOST $http_host;
# Keep original request (LLNG server will received /lmauth)
fastcgi_param X_ORIGINAL_URI $request_uri;
fastcgi_param X_ORIGINAL_URI $original_uri;
}
location /rules.json {
auth_request off;
@ -241,6 +242,7 @@ directory.
}
location / {
auth_request /lmauth;
set $original_uri $uri$is_args$args;
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
auth_request_set $lmlocation $upstream_http_location;
error_page 401 $lmlocation;

90
doc/sources/admin/upgrade_2_0_x.rst
View File

@ -20,24 +20,84 @@ backups and a rollback plan ready!
2.0.9
-----
- | Bad default value to display OIDC Consents tab has been fixed.
| The default value is ``$_oidcConsents && $_oidcConsents =~ /\w+/``
- Bad default value to display OIDC Consents tab has been fixed.
The default value is now: ``$_oidcConsents && $_oidcConsents =~ /\w+/``
- Some user log messages have been modified, check :doc:`logs documentation <logs>`
(see also `#2244 <https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/2244>`__)
- SAML SOAP calls are now using ``text/xml`` instead of ``application/xml`` as the MIME Content Type, as required by `the SOAP standard <https://www.w3.org/TR/2000/NOTE-SOAP-20000508/#_Toc478383526>`__
- The default config/session cache directory has been moved from ``/tmp`` to
``/var/cache/lemonldap-ng`` in order to avoid `issues with cache purges
<https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2254>`__ when
using Systemd. This change is only applied to new installations. If your
installation is experiencing cache purge issues, you
need to manually change your existing
``localSessionStorageOptions/cache_root`` parameter from ``/tmp`` to
``/var/cache/lemonldap-ng``.
- This release fixes several issues when using ``SameSite=None``. The new
default value of the SameSite configuration parameter will set SameSite to
``Lax`` unless you are using SAML, which requires ``None``
- Incremental lock times values can now be set by using Manager.
It must a list of comma separated values. Default values are ``5, 15, 60, 300, 600``
- Incremental lock times values can now be set in BruteForceProtection plugin through Manager.
It must be a list of comma separated values. Default values are ``5, 15, 60, 300, 600``
Cookie issues with Chrome
~~~~~~~~~~~~~~~~~~~~~~~~~
This release fixes several issues related to the change in SameSite cookie
policy for Google Chrome users. The new default value of the SameSite
configuration parameter will set SameSite to ``Lax`` unless you are using SAML,
in which case it will be set to ``None``.
This means that from now on, any LemonLDAP::NG installation using SAML must be
served over HTTPS, as SameSite ``None`` value requires the ``Secure`` flag in cookie.
Change in default cache directory
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The default config/session cache directory has been moved from ``/tmp`` to
``/var/cache/lemonldap-ng`` in order to avoid `issues with cache purges
<https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2254>`__ when using
Systemd. This change is only applied to new installations. If your
installation is experiencing cache purge issues, you need to manually change
your existing ``localSessionStorageOptions/cache_root`` parameter from ``/tmp``
to ``/var/cache/lemonldap-ng``. Be sure to create this directory on your
file system before modifying your configuration.
Required changes in NGINX handler rules (CVE-2020-24660)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
We discovered a vulnerability that affects LemonLDAP::NG installations when ALL of the following criteria apply:
* You are using the :doc:`LemonLDAP::NG Handler<configvhost>` to protect applications
* Your handler server uses Nginx
* Your virtual host configuration contains per-URL access rules based on
regular expressions in addition to the built-in *default* access rule.
.. note::
You are safe from this vulnerability if your virtualhost only uses a regexp-based rule to trigger logout
If you are in this situation, you need to modify *all* your handler-protected
virtualhosts by making the following change:
* Replace ``fastcgi_param X_ORIGINAL_URI $request_uri`` by ``fastcgi_param X_ORIGINAL_URI $original_uri`` if you are using FastCGI
* Replace ``uwsgi_param X_ORIGINAL_URI $request_uri`` by ``uwsgi_param X_ORIGINAL_URI $original_uri`` if you are using uWSGI
* Right after ``auth_request /lmauth;``, add the following line ::
set $original_uri $uri$is_args$args;
You can check the :doc:`configvhost` page for more information
LDAP certificate validation (CVE-2020-16093)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
LDAP server certificates were previously not verified by default when using secure transports (LDAPS or TLS), see `CVE-2020-16093 <https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2250>`__. Starting from this release, certificate validation is now enabled by default, including on existing installations.
If you have configured your CA certificates incorrectly, LemonLDAP::NG will now start complaining about invalid certificates. You may temporarily disable it again with the following command ::
/your/path/to/lemonldap-ng-cli set ldapVerify none
If you use LDAP as a configuration storage, and want to temporarily disable certificate validation, you must make the following addition to `/etc/lemonldap-ng/lemonldap-ng.ini` ::
[configuration]
...
ldapVerify = none
If you use LDAP as a session backend, you are strongly encouraged to also upgrade corresponding ``Apache::Session`` modules (``Apache::Session::LDAP`` or ``Apache::Session::Browseable``). After this upgrade, if you want to temporarily disable certificate validation, you can add the following parameter to the list of Apache::Session module options:
* key: ``ldapVerify``
* value: ``none``
Please note that it is HIGHLY recommended to set certificate validation to `require` when contacting LDAP servers over a secure transport to avoid man-in-the-middle attacks.
2.0.8
-----

4
doc/sources/manager-api/openapi-spec.yaml
View File

@ -1098,6 +1098,8 @@ components:
notOnOrAfterTimeout:
type: integer
default: 72000
authnLevel:
type: integer
rule:
type: string
forceUTF8:
@ -1181,6 +1183,8 @@ components:
type: string
allowOffline:
type: boolean
authnLevel:
type: integer
rule:
type: string
IDTokenSignAlg:

1
lemonldap-ng-common/MANIFEST
View File

@ -35,6 +35,7 @@ lib/Lemonldap/NG/Common/Conf/SAML/Metadata.pm
lib/Lemonldap/NG/Common/Conf/Serializer.pm
lib/Lemonldap/NG/Common/Conf/Wrapper.pm
lib/Lemonldap/NG/Common/Crypto.pm
lib/Lemonldap/NG/Common/EmailTransport.pm
lib/Lemonldap/NG/Common/FormEncode.pm
lib/Lemonldap/NG/Common/IO/Filter.pm
lib/Lemonldap/NG/Common/IPv6.pm

2
lemonldap-ng-common/META.json
View File

@ -3,7 +3,7 @@
"author" : [
"Xavier Guimard <x.guimard@free.fr>, Clément Oudot <clement@oodo.net>"
],
"dynamic_config" : 0,
"dynamic_config" : 1,
"generated_by" : "ExtUtils::MakeMaker version 7.34, CPAN::Meta::Converter version 2.150010",
"license" : [
"open_source"

2
lemonldap-ng-common/META.yml
View File

@ -9,7 +9,7 @@ build_requires:
Test::Pod: '1'
configure_requires:
ExtUtils::MakeMaker: '0'
dynamic_config: 0
dynamic_config: 1
generated_by: 'ExtUtils::MakeMaker version 7.34, CPAN::Meta::Converter version 2.150010'
license: open_source
meta-spec:

9
lemonldap-ng-common/Makefile.PL
View File

@ -62,7 +62,8 @@ WriteMakefile(
MailingList => 'mailto:lemonldap-ng-dev@ow2.org',
license => 'http://opensource.org/licenses/GPL-2.0',
homepage => 'http://lemonldap-ng.org/',
bugtracker => 'https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues',
bugtracker =>
'https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues',
x_twitter => 'https://twitter.com/lemonldapng',
},
},
@ -99,9 +100,9 @@ WriteMakefile(
FILES => 't/lmConf*'
},
MAN1PODS => {
'scripts/convertConfig' => 'blib/man1/convertConfig.1p',
'scripts/convertSessions' => 'blib/man1/convertSessions.1p',
'scripts/lemonldap-ng-cli' => 'blib/man1/lemonldap-ng-cli.1p',
'scripts/convertConfig' => 'blib/man1/convertConfig.1p',
'scripts/convertSessions' => 'blib/man1/convertSessions.1p',
'scripts/lemonldap-ng-cli' => 'blib/man1/lemonldap-ng-cli.1p',
'scripts/lemonldap-ng-sessions' => 'blib/man1/lemonldap-ng-sessions.1p',
},
);

19
lemonldap-ng-common/lib/Lemonldap/NG/Common/Cli.pm
View File

@ -3,6 +3,7 @@ package Lemonldap::NG::Common::Cli;
use strict;
use Mouse;
use Lemonldap::NG::Common::Conf;
use Lemonldap::NG::Common::EmailTransport;
extends 'Lemonldap::NG::Common::PSGI::Cli::Lib';
@ -54,6 +55,22 @@ sub updateCache {
qq{Cache updated to configuration $conf->{cfgNum} for user $>\n};
}
sub testEmail {
my $self = shift;
my $dest = shift;
die "Must specify destination" unless ($dest);
my $conf = $self->confAccess->getConf();
eval {
Lemonldap::NG::Common::EmailTransport::sendTestMail( $conf, $dest );
};
my $error = $@;
if ($error) {
die $error;
} else {
print STDERR "Test email successfully sent to $dest\n";
}
}
sub run {
my $self = shift;
@ -80,7 +97,7 @@ sub run {
}
$self->confAccess()->lastCfg() unless ( $self->cfgNum );
my $action = shift;
unless ( $action =~ /^(?:info|update-cache)$/ ) {
unless ( $action =~ /^(?:info|update-cache|test-email)$/ ) {
die "unknown action $action. Only info or update are accepted";
}
$action =~ s/\-([a-z])/uc($1)/e;

2
lemonldap-ng-common/lib/Lemonldap/NG/Common/CliSessions.pm
View File

@ -9,7 +9,7 @@ use Lemonldap::NG::Common::Apache::Session;
use Lemonldap::NG::Common::Session;
use Lemonldap::NG::Common::Util qw/getPSessionID genId2F/;
our $VERSION = '2.0.8';
our $VERSION = '2.0.9';
has opts => ( is => 'rw' );

24
lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/Backends/LDAP.pm
View File

@ -92,7 +92,10 @@ sub ldap {
my $ldap = Net::LDAP->new(
\@servers,
onerror => undef,
( $self->{ldapPort} ? ( port => $self->{ldapPort} ) : () ),
verify => ( $self->{ldapVerify} || "require" ),
( $self->{ldapCAFile} ? ( cafile => $self->{ldapCAFile} ) : () ),
( $self->{ldapCAPath} ? ( capath => $self->{ldapCAPath} ) : () ),
( $self->{ldapPort} ? ( port => $self->{ldapPort} ) : () ),
raw => => qr/(?i:^jpegPhoto|;binary)/
);
@ -100,12 +103,27 @@ sub ldap {
$Lemonldap::NG::Common::Conf::msg .= "$@\n";
return;
}
elsif ( $Net::LDAP::VERSION < '0.64' ) {
# CentOS7 has a bug in which IO::Socket::SSL will return a broken
# socket when certificate validation fails. Net::LDAP does not catch
# it, and the process ends up crashing.
# As a precaution, make sure the underlying socket is doing fine:
if ( $ldap->socket->isa('IO::Socket::SSL')
and $ldap->socket->errstr < 0 )
{
$Lemonldap::NG::Common::Conf::msg .=
"SSL connection error: " . $ldap->socket->errstr;
return;
}
}
# Start TLS if needed
if ($useTls) {
my %h = split( /[&=]/, $tlsParam );
$h{cafile} = $self->{caFile} if ( $self->{caFile} );
$h{capath} = $self->{caPath} if ( $self->{caPath} );
$h{verify} ||= $self->{ldapVerify} || "require";
$h{cafile} ||= $self->{ldapCAFile} if ( $self->{ldapCAFile} );
$h{capath} ||= $self->{ldapCAPath} if ( $self->{ldapCAPath} );
my $start_tls = $ldap->start_tls(%h);
if ( $start_tls->code ) {
$self->logError($start_tls);

2
lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/Constants.pm
View File

@ -30,7 +30,7 @@ use constant DEFAULTCONFBACKENDOPTIONS => (
dirName => '/usr/local/lemonldap-ng/data/conf',
);
our $hashParameters = qr/^(?:(?:l(?:o(?:ca(?:lSessionStorageOption|tionRule)|goutService)|dapExportedVar|wp(?:Ssl)?Opt)|(?:(?:d(?:emo|bi)|facebook|webID)ExportedVa|exported(?:Heade|Va)|issuerDBGetParamete)r|re(?:moteGlobalStorageOption|st2f(?:Verify|Init)Arg|loadUrl)|g(?:r(?:antSessionRule|oup)|lobalStorageOption)|n(?:otificationStorageOption|ginxCustomHandler)|macro)s|o(?:idc(?:S(?:ervice(?:DynamicRegistrationEx(?:portedVar|traClaim)s|MetaDataAuthnContext)|torageOptions)|RPMetaData(?:(?:Option(?:sExtraClaim)?|ExportedVar|Macro)s|Node)|OPMetaData(?:(?:ExportedVar|Option)s|J(?:SON|WKS)|Node))|penIdExportedVars)|s(?:aml(?:S(?:PMetaData(?:(?:ExportedAttribute|Option|Macro)s|Node|XML)|torageOptions)|IDPMetaData(?:(?:ExportedAttribute|Option)s|Node|XML))|essionDataToRemember|laveExportedVars|fExtra)|c(?:as(?:A(?:ppMetaData(?:(?:ExportedVar|Option|Macro)s|Node)|ttributes)|S(?:rvMetaData(?:(?:ExportedVar|Option)s|Node)|torageOptions))|(?:ustom(?:Plugins|Add)Param|ombModule)s)|p(?:ersistentStorageOptions|o(?:rtalSkinRules|st))|a(?:ut(?:hChoiceMod|oSigninR)ules|pplicationList)|v(?:hostOptions|irtualHost)|S(?:MTPTLSOpts|SLVarIf))$/;
our $boolKeys = qr/^(?:s(?:aml(?:IDP(?:MetaDataOptions(?:(?:Check(?:S[LS]OMessageSignatur|Audienc|Tim)|IsPassiv)e|A(?:llow(?:LoginFromIDP|ProxiedAuthn)|daptSessionUtime)|Force(?:Authn|UTF8)|StoreSAMLToken|RelayStateURL)|SSODescriptorWantAuthnRequestsSigned)|S(?:P(?:MetaDataOptions(?:(?:CheckS[LS]OMessageSignatur|OneTimeUs)e|EnableIDPInitiatedURL|ForceUTF8)|SSODescriptor(?:WantAssertion|AuthnRequest)sSigned)|erviceUseCertificateInResponse)|DiscoveryProtocol(?:Activation|IsPassive)|CommonDomainCookieActivation|UseQueryStringSpecific|MetadataForceUTF8)|oap(?:Session|Config)Server|t(?:ayConnecte|orePasswor)d|kipRenewConfirmation|fRemovedUseNotif|laveDisplayLogo|howLanguages|slByAjax)|o(?:idc(?:RPMetaDataOptions(?:Allow(?:PasswordGrant|Offline)|Re(?:freshToken|quirePKCE)|LogoutSessionRequired|IDTokenForceClaims|BypassConsent|Public)|ServiceAllow(?:(?:AuthorizationCode|Implicit|Hybrid)Flow|DynamicRegistration)|OPMetaDataOptions(?:(?:CheckJWTSignatur|UseNonc)e|StoreIDToken))|ldNotifFormat)|p(?:ortal(?:Display(?:Re(?:freshMyRights|setPassword|gister)|GeneratePassword|PasswordPolicy)|ErrorOn(?:ExpiredSession|MailNotFound)|(?:CheckLogin|Statu)s|OpenLinkInNewWindow|ForceAuthn|AntiFrame)|roxyUseSoap)|l(?:dap(?:(?:Group(?:DecodeSearchedValu|Recursiv)|UsePasswordResetAttribut)e|(?:AllowResetExpired|Set)Password|ChangePasswordAsUser|PpolicyControl|ITDS)|oginHistoryEnabled)|c(?:a(?:ptcha_(?:register|login|mail)_enabled|sSrvMetaDataOptions(?:Gateway|Renew))|o(?:ntextSwitchingStopWithLogout|mpactConf|rsEnabled)|heck(?:State|User|XSS)|da)|no(?:tif(?:ication(?:Server(?:(?:POS|GE)T|DELETE)?|sExplorer)?|y(?:Deleted|Other))|AjaxHook)|i(?:ssuerDB(?:OpenID(?:Connect)?|SAML|CAS|Get)Activation|mpersonationSkipEmptyValues)|to(?:tp2f(?:UserCan(?:Chang|Remov)eKey|DisplayExistingSecret)|kenUseGlobalStorage)|u(?:se(?:RedirectOn(?:Forbidden|Error)|SafeJail)|2fUserCanRemoveKey|pgradeSession)|re(?:st(?:(?:Password|Session|Config|Auth)Server|ExportSecretKeys)|freshSessions)|br(?:uteForceProtection(?:IncrementalTempo)?|owsersDontStorePassword)|(?:mai(?:lOnPasswordChang|ntenanc)|vhostMaintenanc)e|d(?:isablePersistentStorage|biDynamicHashEnabled)|g(?:roupsBeforeMacros|lobalLogoutTimer)|h(?:ideOldPassword|ttpOnly)|yubikey2fUserCanRemoveKey|(?:activeTim|wsdlServ)er|krb(?:RemoveDomain|ByJs))$/;
our $boolKeys = qr/^(?:s(?:aml(?:IDP(?:MetaDataOptions(?:(?:Check(?:S[LS]OMessageSignatur|Audienc|Tim)|IsPassiv)e|A(?:llow(?:LoginFromIDP|ProxiedAuthn)|daptSessionUtime)|Force(?:Authn|UTF8)|StoreSAMLToken|RelayStateURL)|SSODescriptorWantAuthnRequestsSigned)|S(?:P(?:MetaDataOptions(?:(?:CheckS[LS]OMessageSignatur|OneTimeUs)e|EnableIDPInitiatedURL|ForceUTF8)|SSODescriptor(?:WantAssertion|AuthnRequest)sSigned)|erviceUseCertificateInResponse)|DiscoveryProtocol(?:Activation|IsPassive)|CommonDomainCookieActivation|UseQueryStringSpecific|MetadataForceUTF8)|f(?:RemovedUseNotif|OnlyUpgrade)|kip(?:Upgrade|Renew)Confirmation|oap(?:Session|Config)Server|t(?:ayConnecte|orePasswor)d|laveDisplayLogo|howLanguages|slByAjax)|o(?:idc(?:RPMetaDataOptions(?:Allow(?:PasswordGrant|Offline)|Re(?:freshToken|quirePKCE)|LogoutSessionRequired|IDTokenForceClaims|BypassConsent|Public)|ServiceAllow(?:(?:AuthorizationCode|Implicit|Hybrid)Flow|DynamicRegistration)|OPMetaDataOptions(?:(?:CheckJWTSignatur|UseNonc)e|StoreIDToken))|ldNotifFormat)|p(?:ortal(?:Display(?:Re(?:freshMyRights|setPassword|gister)|GeneratePassword|PasswordPolicy)|ErrorOn(?:ExpiredSession|MailNotFound)|(?:CheckLogin|Statu)s|OpenLinkInNewWindow|ForceAuthn|AntiFrame)|roxyUseSoap)|l(?:dap(?:(?:Group(?:DecodeSearchedValu|Recursiv)|UsePasswordResetAttribut)e|(?:AllowResetExpired|Set)Password|ChangePasswordAsUser|PpolicyControl|ITDS)|oginHistoryEnabled)|c(?:a(?:ptcha_(?:register|login|mail)_enabled|sSrvMetaDataOptions(?:Gateway|Renew))|o(?:ntextSwitchingStopWithLogout|mpactConf|rsEnabled)|heck(?:State|User|XSS)|da)|no(?:tif(?:ication(?:Server(?:(?:POS|GE)T|DELETE)?|sExplorer)?|y(?:Deleted|Other))|AjaxHook)|i(?:ssuerDB(?:OpenID(?:Connect)?|SAML|CAS|Get)Activation|mpersonationSkipEmptyValues)|to(?:tp2f(?:UserCan(?:Chang|Remov)eKey|DisplayExistingSecret)|kenUseGlobalStorage)|u(?:se(?:RedirectOn(?:Forbidden|Error)|SafeJail)|2fUserCanRemoveKey|pgradeSession)|re(?:st(?:(?:Password|Session|Config|Auth)Server|ExportSecretKeys)|freshSessions)|br(?:uteForceProtection(?:IncrementalTempo)?|owsersDontStorePassword)|(?:mai(?:lOnPasswordChang|ntenanc)|vhostMaintenanc)e|d(?:isablePersistentStorage|biDynamicHashEnabled)|g(?:roupsBeforeMacros|lobalLogoutTimer)|h(?:ideOldPassword|ttpOnly)|yubikey2fUserCanRemoveKey|(?:activeTim|wsdlServ)er|krb(?:RemoveDomain|ByJs))$/;
our @sessionTypes = ( 'remoteGlobal', 'global', 'localSession', 'persistent', 'saml', 'oidc', 'cas' );

17
lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/DefaultValues.pm
View File

@ -36,6 +36,7 @@ sub defaultValues {
'http://auth.example.com/certificateReset',
'certificateResetByMailValidityDelay' => 0,
'checkTime' => 600,
'checkUserDisplayComputedSession' => 1,
'checkUserDisplayEmptyHeaders' => 0,
'checkUserDisplayEmptyValues' => 0,
'checkUserDisplayPersistentInfo' => 0,
@ -145,12 +146,14 @@ sub defaultValues {
'ldapServer' => 'ldap://localhost',
'ldapTimeout' => 120,
'ldapUsePasswordResetAttribute' => 1,
'ldapVerify' => 'require',
'ldapVersion' => 3,
'linkedInAuthnLevel' => 1,
'linkedInScope' => 'r_liteprofile r_emailaddress',
'linkedInUserField' => 'emailAddress',
'localSessionStorage' => 'Cache::FileCache',
'localSessionStorageOptions' => {
'linkedInFields' => 'id,first-name,last-name,email-address',
'linkedInScope' => 'r_liteprofile r_emailaddress',
'linkedInUserField' => 'emailAddress',
'localSessionStorage' => 'Cache::FileCache',
'localSessionStorageOptions' => {
'cache_depth' => 3,
'cache_root' => '/var/cache/lemonldap-ng',
'default_expires_in' => 600,
@ -224,14 +227,14 @@ sub defaultValues {
'pamAuthnLevel' => 2,
'pamService' => 'login',
'passwordDB' => 'Demo',
'passwordPolicyActivation' => 1,
'passwordPolicyMinDigit' => 0,
'passwordPolicyMinLower' => 0,
'passwordPolicyMinSize' => 0,
'passwordPolicyMinSpeChar' => 0,
'passwordPolicyMinUpper' => 0,
'passwordPolicySpecialChar' =>
'! @ # $ % & * ( ) - = + [ ] { } ; : , . / ?',
'passwordResetAllowedRetries' => 3,
'passwordPolicySpecialChar' => '__ALL__',
'passwordResetAllowedRetries' => 3,
'persistentSessionAttributes' =>
'_loginHistory _2fDevices notification_',
'port' => -1,

10
lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/ReConstants.pm
View File

@ -24,12 +24,12 @@ our $specialNodeHash = {
our $doubleHashKeys = 'issuerDBGetParameters';
our $simpleHashKeys = '(?:(?:l(?:o(?:calSessionStorageOption|goutService)|dapExportedVar|wp(?:Ssl)?Opt)|c(?:as(?:StorageOption|Attribute)|ustom(?:Plugins|Add)Param|ombModule)|re(?:moteGlobalStorageOption|st2f(?:Verify|Init)Arg|loadUrl)|(?:(?:d(?:emo|bi)|facebook|webID)E|e)xportedVar|g(?:r(?:antSessionRule|oup)|lobalStorageOption)|n(?:otificationStorageOption|ginxCustomHandler)|p(?:ersistentStorageOption|ortalSkinRule)|macro)s|o(?:idcS(?:ervice(?:DynamicRegistrationEx(?:portedVar|traClaim)s|MetaDataAuthnContext)|torageOptions)|penIdExportedVars)|s(?:(?:amlStorageOption|laveExportedVar)s|essionDataToRemember|fExtra)|a(?:ut(?:hChoiceMod|oSigninR)ules|pplicationList)|S(?:MTPTLSOpts|SLVarIf))';
our $specialNodeKeys = '(?:(?:(?:saml(?:ID|S)|oidc[OR])P|cas(?:App|Srv))MetaDataNode|virtualHost)s';
our $casAppMetaDataNodeKeys = 'casAppMetaData(?:Options(?:UserAttribut|Servic|Rul)e|(?:ExportedVar|Macro)s)';
our $casAppMetaDataNodeKeys = 'casAppMetaData(?:Options(?:(?:UserAttribut|Servic|Rul)e|AuthnLevel)|(?:ExportedVar|Macro)s)';
our $casSrvMetaDataNodeKeys = 'casSrvMetaData(?:Options(?:ProxiedServices|DisplayName|SortNumber|Gateway|Renew|Icon|Url)|ExportedVars)';
our $oidcOPMetaDataNodeKeys = 'oidcOPMetaData(?:Options(?:C(?:lient(?:Secret|ID)|heckJWTSignature|onfigurationURI)|S(?:toreIDToken|ortNumber|cope)|TokenEndpointAuthMethod|(?:JWKSTimeou|Promp)t|I(?:DTokenMaxAge|con)|U(?:iLocales|seNonce)|Display(?:Name)?|AcrValues|MaxAge)|ExportedVars|J(?:SON|WKS))';
our $oidcRPMetaDataNodeKeys = 'oidcRPMetaData(?:Options(?:A(?:(?:uthorizationCode|ccessToken)Expiration|llow(?:PasswordGrant|Offline)|dditionalAudiences)|I(?:DToken(?:ForceClaims|Expiration|SignAlg)|con)|R(?:e(?:directUris|freshToken|quirePKCE)|ule)|Logout(?:SessionRequired|Type|Url)|P(?:ostLogoutRedirectUris|ublic)|OfflineSessionExpiration|Client(?:Secret|ID)|BypassConsent|DisplayName|ExtraClaims|UserIDAttr)|(?:ExportedVar|Macro)s)';
our $oidcRPMetaDataNodeKeys = 'oidcRPMetaData(?:Options(?:A(?:uth(?:orizationCodeExpiration|nLevel)|llow(?:PasswordGrant|Offline)|ccessTokenExpiration|dditionalAudiences)|I(?:DToken(?:ForceClaims|Expiration|SignAlg)|con)|R(?:e(?:directUris|freshToken|quirePKCE)|ule)|Logout(?:SessionRequired|Type|Url)|P(?:ostLogoutRedirectUris|ublic)|OfflineSessionExpiration|Client(?:Secret|ID)|BypassConsent|DisplayName|ExtraClaims|UserIDAttr)|(?:ExportedVar|Macro)s)';
our $samlIDPMetaDataNodeKeys = 'samlIDPMetaData(?:Options(?:(?:Check(?:S[LS]OMessageSignatur|Audienc|Tim)|EncryptionMod|UserAttribut|DisplayNam)e|S(?:ignS[LS]OMessage|toreSAMLToken|[LS]OBinding|ortNumber)|A(?:llow(?:LoginFromIDP|ProxiedAuthn)|daptSessionUtime)|Re(?:questedAuthnContext|solutionRule|layStateURL)|Force(?:Authn|UTF8)|I(?:sPassive|con)|NameIDFormat)|ExportedAttributes|XML)';
our $samlSPMetaDataNodeKeys = 'samlSPMetaData(?:Options(?:N(?:ameID(?:SessionKey|Format)|otOnOrAfterTimeout)|S(?:essionNotOnOrAfterTimeout|ignS[LS]OMessage)|(?:CheckS[LS]OMessageSignatur|OneTimeUs|Rul)e|En(?:ableIDPInitiatedURL|cryptionMode)|ForceUTF8)|(?:ExportedAttribute|Macro)s|XML)';
our $samlSPMetaDataNodeKeys = 'samlSPMetaData(?:Options(?:N(?:ameID(?:SessionKey|Format)|otOnOrAfterTimeout)|S(?:essionNotOnOrAfterTimeout|ignS[LS]OMessage)|(?:CheckS[LS]OMessageSignatur|OneTimeUs|Rul)e|En(?:ableIDPInitiatedURL|cryptionMode)|AuthnLevel|ForceUTF8)|(?:ExportedAttribute|Macro)s|XML)';
our $virtualHostKeys = '(?:vhost(?:A(?:uthnLevel|liases)|(?:Maintenanc|Typ)e|ServiceTokenTTL|Https|Port)|(?:exportedHeader|locationRule)s|post)';
our $authParameters = {
@ -45,8 +45,8 @@ our $authParameters = {
githubParams => [qw(githubAuthnLevel githubClientID githubClientSecret githubUserField githubScope)],
gpgParams => [qw(gpgAuthnLevel gpgDb)],
kerberosParams => [qw(krbAuthnLevel krbKeytab krbByJs krbRemoveDomain)],
ldapParams => [qw(ldapAuthnLevel ldapExportedVars ldapServer ldapPort ldapBase managerDn managerPassword ldapTimeout ldapVersion ldapRaw LDAPFilter AuthLDAPFilter mailLDAPFilter ldapSearchDeref ldapGroupBase ldapGroupObjectClass ldapGroupAttributeName ldapGroupAttributeNameUser ldapGroupAttributeNameSearch ldapGroupDecodeSearchedValue ldapGroupRecursive ldapGroupAttributeNameGroup ldapPpolicyControl ldapSetPassword ldapChangePasswordAsUser ldapPwdEnc ldapUsePasswordResetAttribute ldapPasswordResetAttribute ldapPasswordResetAttributeValue ldapAllowResetExpiredPassword ldapITDS)],
linkedinParams => [qw(linkedInAuthnLevel linkedInClientID linkedInClientSecret linkedInUserField linkedInScope)],
ldapParams => [qw(ldapAuthnLevel ldapExportedVars ldapServer ldapPort ldapVerify ldapBase managerDn managerPassword ldapTimeout ldapVersion ldapRaw ldapCAFile ldapCAPath LDAPFilter AuthLDAPFilter mailLDAPFilter ldapSearchDeref ldapGroupBase ldapGroupObjectClass ldapGroupAttributeName ldapGroupAttributeNameUser ldapGroupAttributeNameSearch ldapGroupDecodeSearchedValue ldapGroupRecursive ldapGroupAttributeNameGroup ldapPpolicyControl ldapSetPassword ldapChangePasswordAsUser ldapPwdEnc ldapUsePasswordResetAttribute ldapPasswordResetAttribute ldapPasswordResetAttributeValue ldapAllowResetExpiredPassword ldapITDS)],
linkedinParams => [qw(linkedInAuthnLevel linkedInClientID linkedInClientSecret linkedInFields linkedInUserField linkedInScope)],
nullParams => [qw(nullAuthnLevel)],
oidcParams => [qw(oidcAuthnLevel oidcRPCallbackGetParam oidcRPStateTimeout)],
openidParams => [qw(openIdAuthnLevel openIdExportedVars openIdSecret openIdIDPList)],

117
lemonldap-ng-common/lib/Lemonldap/NG/Common/EmailTransport.pm Normal file
View File

@ -0,0 +1,117 @@
package Lemonldap::NG::Common::EmailTransport;
use Email::Sender::Transport::SMTP qw();
use MIME::Entity;
use Email::Sender::Simple qw(sendmail);
use Email::Date::Format qw(email_date);
our $VERSION = '2.0.9';
sub new {
my ( $class, $conf ) = @_;
my $transport;
my $smtpTls = $conf->{SMTPTLS};
return undef
unless ( $conf->{SMTPServer} );
if ( $smtpTls
and $Email::Sender::Transport::SMTP::VERSION < 1.300027 )
{
# Try to use Email::Sender::Transport::SMTPS
eval { require Email::Sender::Transport::SMTPS; };
# fall back to Email::Sender::Transport::SMTP if not available
unless ($@) {
$transport = Email::Sender::Transport::SMTPS->new(
host => $conf->{SMTPServer},
( $conf->{SMTPPort} ? ( port => $conf->{SMTPPort} ) : () ),
(
$conf->{SMTPAuthUser}
? (
sasl_username => $conf->{SMTPAuthUser},
sasl_password => $conf->{SMTPAuthPass}
)
: ()
),
ssl => $smtpTls,
);
return $transport;
}
else {
if ( $smtpTls and $smtpTls eq "ssl" ) {
$smtpTls = 1;
}
else {
$smtpTls = 0;
}
}
}
$transport = Email::Sender::Transport::SMTP->new(
host => $conf->{SMTPServer},
( $conf->{SMTPPort} ? ( port => $conf->{SMTPPort} ) : () ),
(
$conf->{SMTPAuthUser}
? (
sasl_username => $conf->{SMTPAuthUser},
sasl_password => $conf->{SMTPAuthPass}
)
: ()
),
( $smtpTls ? ( ssl => $smtpTls ) : () ),
(
$conf->{SMTPTLSOpts} ? ( ssl_options => $conf->{SMTPTLSOpts} )
: ()
),
);
return $transport;
}
sub configTest {
my ( $class, $conf ) = @_;
my $res = 1;
my $message;
if ( $Email::Sender::Transport::SMTP::VERSION < 1.300027 ) {
if ( $conf->{SMTPTLS} ) {
$message = "Email::Sender < 1.3.00027 does not validate"
. " server identity when using SMTPS, use at your own risks";
}
if ( $conf->{SMTPTLSOpts} and keys %{ $conf->{SMTPTLSOpts} } ) {
$message =
( $message ? "$message. " : "" )
. "Setting TLS parameters is not supported on "
. "Email::Sender < 1.3.00027";
}
eval { require Email::Sender::Transport::SMTPS; };
if ($@) {
if ( $conf->{SMTPTLS} and $conf->{SMTPTLS} eq "starttls" ) {
$message =
( $message ? "$message. " : "" )
. "StartTLS is not supported, "
. "install Email::Sender::Transport::SMTPS";
}
}
}
return $res, $message;
}
sub sendTestMail {
my ($conf, $dest) = @_;
my $transport = Lemonldap::NG::Common::EmailTransport->new($conf);
my $message = MIME::Entity->build(
From => $conf->{mailFrom},
To => $dest,
Subject => 'LemonLDAP::NG test email',
Type => 'TEXT',
Data => 'This test message was sent from the LemonLDAP::NG Manager',
Type => 'text/plain',
Date => email_date,
);
# Send the mail
eval { sendmail( $message->stringify, { transport => $transport } ); };
if ($@) {
my $error = ( $@->isa('Throwable::Error') ? $@->message : $@ );
die $error;
}
}
1;

73
lemonldap-ng-common/lib/Lemonldap/NG/Common/Notifications/LDAP.pm
View File

@ -23,8 +23,43 @@ sub import {
}
has ldapServer => (
is => 'ro',
required => 1,
is => 'ro',
lazy => 1,
default => sub {
$_[0]->conf->{ldapServer};
}
);
has ldapPort => (
is => 'ro',
lazy => 1,
default => sub {
$_[0]->conf->{ldapPort};
}
);
has ldapCAFile => (
is => 'ro',
lazy => 1,
default => sub {
$_[0]->conf->{ldapCAFile};
}
);
has ldapCAPath => (
is => 'ro',
lazy => 1,
default => sub {
$_[0]->conf->{ldapCAPath};
}
);
has ldapVerify => (
is => 'ro',
lazy => 1,
default => sub {
$_[0]->conf->{ldapVerify};
}
);
has ldapConfBase => (
@ -40,8 +75,7 @@ has ldapBindDN => (
is => 'ro',
lazy => 1,
default => sub {
$_[0]->p->logger->warn('Warning: "ldapBindDN" parameter is not set');
return '';
$_[0]->conf->{managerDn};
}
);
@ -49,9 +83,7 @@ has ldapBindPassword => (
is => 'ro',
lazy => 1,
default => sub {
$_[0]
->p->logger->warn('Warning: "ldapBindPassword" parameter is not set');
return '';
$_[0]->conf->{managerPassword};
}
);
@ -439,7 +471,7 @@ sub _ldap {
my $useTls = 0;
my $tlsParam;
my @servers = ();
foreach my $server ( split /[\s,]+/, $self->{ldapServer} ) {
foreach my $server ( split /[\s,]+/, $self->ldapServer ) {
if ( $server =~ m{^ldap\+tls://([^/]+)/?\??(.*)$} ) {
$useTls = 1;
$server = $1;
@ -455,18 +487,35 @@ sub _ldap {
my $ldap = Net::LDAP->new(
\@servers,
onerror => undef,
( $self->{ldapPort} ? ( port => $self->{ldapPort} ) : () ),
( $self->ldapPort ? ( port => $self->ldapPort ) : () ),
( $self->ldapVerify ? ( verify => $self->ldapVerify ) : () ),
( $self->ldapCAFile ? ( cafile => $self->ldapCAFile ) : () ),
( $self->ldapCAPath ? ( capath => $self->ldapCAPath ) : () ),
);
unless ($ldap) {
use Data::Dumper;
die 'connexion failed: ' . $@;
}
elsif ( $Net::LDAP::VERSION < '0.64' ) {
# CentOS7 has a bug in which IO::Socket::SSL will return a broken
# socket when certificate validation fails. Net::LDAP does not catch
# it, and the process ends up crashing.
# As a precaution, make sure the underlying socket is doing fine:
if ( $ldap->socket->isa('IO::Socket::SSL')
and $ldap->socket->errstr < 0 )
{
die "SSL connection error: " . $ldap->socket->errstr;
}
}
# Start TLS if needed
if ($useTls) {
my %h = split( /[&=]/, $tlsParam );
$h{cafile} = $self->{caFile} if ( $self->{caFile} );
$h{capath} = $self->{caPath} if ( $self->{caPath} );
$h{cafile} ||= $self->ldapCAFile if ( $self->ldapCAFile );
$h{capath} ||= $self->ldapCAPath if ( $self->ldapCAPath );
$h{verify} ||= $self->ldapVerify if ( $self->ldapVerify );
my $start_tls = $ldap->start_tls(%h);
if ( $start_tls->code ) {
die 'tls failed: ' . $start_tls->error;
@ -475,7 +524,7 @@ sub _ldap {
# Bind with credentials
my $bind =
$ldap->bind( $self->{ldapBindDN}, password => $self->{ldapBindPassword} );
$ldap->bind( $self->ldapBindDN, password => $self->ldapBindPassword );
if ( $bind->code ) {
die 'bind failed: ' . $bind->error;
}

12
lemonldap-ng-common/lib/Lemonldap/NG/Common/Session.pm
View File

@ -123,12 +123,6 @@ sub BUILD {
$data = $self->_tie_session;
}
# If session is created
# Then set session kind in session
if ( $creation and $self->kind ) {
$data->{_session_kind} = $self->kind;
}
if ( $self->{info} ) {
foreach ( keys %{ $self->{info} } ) {
next if ( $_ eq "_session_id" and $data->{_session_id} );
@ -143,6 +137,12 @@ sub BUILD {
delete $self->{info};
}
# If session is created
# Then set session kind in session
if ( $creation and $self->kind ) {
$data->{_session_kind} = $self->kind;
}
# Load session data into object
if ($data) {
if ( $self->kind and $data->{_session_kind} ) {

9
lemonldap-ng-common/scripts/lemonldap-ng-cli
View File

@ -27,7 +27,7 @@ if ( $action =~ /^(?:[gs]et|del|(?:add|del)Key|save|restore|rollback)$/ ) {
die "Manager libraries not available, aborting ($@)" if ($@);
Lemonldap::NG::Manager::Cli->run(@ARGV);
}
elsif ( $action =~ /^(?:info|update-cache)$/ ) {
elsif ( $action =~ /^(?:info|update-cache|test-email)$/ ) {
eval { require Lemonldap::NG::Common::Cli; };
die "Lemonldap::NG common libraries not available, aborting ($@)" if ($@);
Lemonldap::NG::Common::Cli->run(@ARGV);
@ -43,6 +43,7 @@ Available actions:
- help : print this
- info : get currentconfiguration info
- update-cache : force configuration cache to be updated
- test-email <destination> : send a test email
- get <keys> : get values of parameters
- set <key> <value> : set parameter(s) value(s)
- del <keys> : delete parameters
@ -83,6 +84,10 @@ Update local configuration cache
$ lemonldap-ng-cli update-cache
Send a test email
$ lemonldap-ng-cli test-email dwho@badwolf.org
Save configuration
$ lemonldap-ng-cli save >conf.json
@ -128,6 +133,8 @@ and L<Lemonldap::NG::Common::Cli>
=item update-cache
=item test-email
=item save
=item restore

2
lemonldap-ng-handler/META.json
View File

@ -3,7 +3,7 @@
"author" : [
"Xavier Guimard <x.guimard@free.fr>, Clément Oudot <clement@oodo.net>"
],
"dynamic_config" : 0,
"dynamic_config" : 1,
"generated_by" : "ExtUtils::MakeMaker version 7.34, CPAN::Meta::Converter version 2.150010",
"license" : [
"open_source"

2
lemonldap-ng-handler/META.yml
View File

@ -12,7 +12,7 @@ build_requires:
Time::Fake: '0'
configure_requires:
ExtUtils::MakeMaker: '0'
dynamic_config: 0
dynamic_config: 1
generated_by: 'ExtUtils::MakeMaker version 7.34, CPAN::Meta::Converter version 2.150010'
license: open_source
meta-spec:

3
lemonldap-ng-handler/Makefile.PL
View File

@ -33,7 +33,8 @@ WriteMakefile(
MailingList => 'mailto:lemonldap-ng-dev@ow2.org',
license => 'http://opensource.org/licenses/GPL-2.0',
homepage => 'http://lemonldap-ng.org/',
bugtracker => 'https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues',
bugtracker =>
'https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues',
x_twitter => 'https://twitter.com/lemonldapng',
},
},

2
lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Lib/StatusConstants.pm
View File

@ -20,6 +20,8 @@ sub portalConsts {
'10' => 'PE_BADCERTIFICATE',
'100' => 'PE_PP_NOT_ALLOWED_CHARACTER',
'101' => 'PE_PP_NOT_ALLOWED_CHARACTERS',
'102' => 'PE_UPGRADESESSION',
'103' => 'PE_NO_SECOND_FACTORS',
'2' => 'PE_FORMEMPTY',
'21' => 'PE_PP_ACCOUNT_LOCKED',
'22' => 'PE_PP_PASSWORD_EXPIRED',

45
lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Run.pm
View File

@ -265,17 +265,14 @@ sub checkMaintenanceMode {
return 0;
}
## @rmethod boolean grant(string uri, string cond)
# Grant or refuse client using compiled regexp and functions
## @rmethod int getLevel(string uri, string $vhost)
# Return required authentication level for this URI
# default to vhost authentication level
# @param $uri URI
# @param $cond optional Function granting access
# @return True if the user is granted to access to the current URL
sub grant {
my ( $class, $req, $session, $uri, $cond, $vhost ) = @_;
# @param $vhost vhost name, default to current request
sub getLevel {
my ( $class, $req, $uri, $vhost ) = @_;
my $level;
return $cond->( $req, $session ) if ($cond);
$vhost ||= $class->resolveAlias($req);
# Using URL authentification level if exists
@ -290,13 +287,33 @@ sub grant {
last;
}
}
$level
? $class->logger->debug(
'Found AuthnLevel=' . $level . ' for "' . "$vhost$uri" . '"' )
: $class->logger->debug("No URL authentication level found...");
if ($level) {
$class->logger->debug(
'Found AuthnLevel=' . $level . ' for "' . "$vhost$uri" . '"' );
return $level;
}
else {
$class->logger->debug("No URL authentication level found...");
return $class->tsv->{authnLevel}->{$vhost};
}
}
## @rmethod boolean grant(string uri, string cond)
# Grant or refuse client using compiled regexp and functions
# @param $uri URI
# @param $cond optional Function granting access
# @return True if the user is granted to access to the current URL
sub grant {
my ( $class, $req, $session, $uri, $cond, $vhost ) = @_;
return $cond->( $req, $session ) if ($cond);
$vhost ||= $class->resolveAlias($req);
my $level = $class->getLevel( $req, $uri );
# Using VH authentification level if exists
if ( $level ||= $class->tsv->{authnLevel}->{$vhost} ) {
if ($level) {
if ( $session->{authenticationLevel} < $level ) {
$class->logger->debug(
"User authentication level = $session->{authenticationLevel}");

1
lemonldap-ng-manager/MANIFEST
View File

@ -155,6 +155,7 @@ site/htdocs/static/forms/select.html
site/htdocs/static/forms/sfExtra.html
site/htdocs/static/forms/sfExtraContainer.html
site/htdocs/static/forms/simpleInputContainer.html
site/htdocs/static/forms/SMTP.html
site/htdocs/static/forms/text.html
site/htdocs/static/forms/trool.html
site/htdocs/static/forms/virtualHost.html

2
lemonldap-ng-manager/META.json
View File

@ -3,7 +3,7 @@
"author" : [
"Xavier Guimard <x.guimard@free.fr>, Clément Oudot <clement@oodo.net>"
],
"dynamic_config" : 0,
"dynamic_config" : 1,
"generated_by" : "ExtUtils::MakeMaker version 7.34, CPAN::Meta::Converter version 2.150010",
"license" : [
"open_source"

2
lemonldap-ng-manager/META.yml
View File

@ -8,7 +8,7 @@ build_requires:
Test::Pod: '1'
configure_requires:
ExtUtils::MakeMaker: '0'
dynamic_config: 0
dynamic_config: 1
generated_by: 'ExtUtils::MakeMaker version 7.34, CPAN::Meta::Converter version 2.150010'
license: open_source
meta-spec:

3
lemonldap-ng-manager/Makefile.PL
View File

@ -25,7 +25,8 @@ WriteMakefile(
MailingList => 'mailto:lemonldap-ng-dev@ow2.org',
license => 'http://opensource.org/licenses/GPL-2.0',
homepage => 'http://lemonldap-ng.org/',
bugtracker => 'https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues',
bugtracker =>
'https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues',
x_twitter => 'https://twitter.com/lemonldapng',
},
},

2
lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Api/2F.pm
View File

@ -1,6 +1,6 @@
package Lemonldap::NG::Manager::Api::2F;
our $VERSION = '2.0.8';
our $VERSION = '2.0.9';
package Lemonldap::NG::Manager::Api;

2
lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Api/Common.pm
View File

@ -1,6 +1,6 @@
package Lemonldap::NG::Manager::Api::Common;
our $VERSION = '2.0.8';
our $VERSION = '2.0.9';
package Lemonldap::NG::Manager::Api;

55
lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm
View File

@ -713,6 +713,9 @@ sub attributes {
'casAppMetaDataOptions' => {
'type' => 'subContainer'
},
'casAppMetaDataOptionsAuthnLevel' => {
'type' => 'int'
},
'casAppMetaDataOptionsRule' => {
'test' => sub {
return perlExpr(@_);
@ -849,6 +852,10 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.]
'default' => 0,
'type' => 'bool'
},
'checkUserDisplayComputedSession' => {
'default' => 1,
'type' => 'boolOrExpr'
},
'checkUserDisplayEmptyHeaders' => {
'default' => 0,
'type' => 'boolOrExpr'
@ -1588,6 +1595,12 @@ qr/^(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][-a-zA-Z0-
'test' => qr/^(?:\w+=.*|)$/,
'type' => 'text'
},
'ldapCAFile' => {
'type' => 'text'
},
'ldapCAPath' => {
'type' => 'text'
},
'ldapChangePasswordAsUser' => {
'default' => 0,
'type' => 'bool'
@ -1713,6 +1726,23 @@ m[^(?:ldapi://[^/]*/?|\w[\w\-\.]*(?::\d{1,5})?|ldap(?:s|\+tls)?://\w[\w\-\.]*(?:
'default' => 1,
'type' => 'bool'
},
'ldapVerify' => {
'default' => 'require',
'select' => [ {
'k' => 'none',
'v' => 'None'
},
{
'k' => 'optional',
'v' => 'Optional'
},
{
'k' => 'require',
'v' => 'Require'
}
],
'type' => 'select'
},
'ldapVersion' => {
'default' => 3,
'type' => 'int'
@ -1727,6 +1757,10 @@ m[^(?:ldapi://[^/]*/?|\w[\w\-\.]*(?::\d{1,5})?|ldap(?:s|\+tls)?://\w[\w\-\.]*(?:
'linkedInClientSecret' => {
'type' => 'password'
},
'linkedInFields' => {
'default' => 'id,first-name,last-name,email-address',
'type' => 'text'
},
'linkedInScope' => {
'default' => 'r_liteprofile r_emailaddress',
'type' => 'text'
@ -2155,6 +2189,9 @@ m[^(?:ldapi://[^/]*/?|\w[\w\-\.]*(?::\d{1,5})?|ldap(?:s|\+tls)?://\w[\w\-\.]*(?:
'default' => 0,
'type' => 'bool'
},
'oidcRPMetaDataOptionsAuthnLevel' => {
'type' => 'int'
},
'oidcRPMetaDataOptionsAuthorizationCodeExpiration' => {
'type' => 'int'
},
@ -2483,6 +2520,10 @@ m[^(?:ldapi://[^/]*/?|\w[\w\-\.]*(?::\d{1,5})?|ldap(?:s|\+tls)?://\w[\w\-\.]*(?:
],
'type' => 'select'
},
'passwordPolicyActivation' => {
'default' => 1,
'type' => 'boolOrExpr'
},
'passwordPolicyMinDigit' => {
'default' => 0,
'type' => 'int'
@ -2504,8 +2545,8 @@ m[^(?:ldapi://[^/]*/?|\w[\w\-\.]*(?::\d{1,5})?|ldap(?:s|\+tls)?://\w[\w\-\.]*(?:
'type' => 'int'
},
'passwordPolicySpecialChar' => {
'default' => '! @ # $ % & * ( ) - = + [ ] { } ; : , . / ?',
'test' => qr/^[\s\W_]*$/,
'default' => '__ALL__',
'test' => qr/^(?:__ALL__|[\S\W]*)$/,
'type' => 'text'
},
'passwordResetAllowedRetries' => {
@ -3396,6 +3437,9 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.]
'keyTest' => qr/^[a-zA-Z](?:[a-zA-Z0-9_\-\.]*\w)?$/,
'type' => 'keyTextContainer'
},
'samlSPMetaDataOptionsAuthnLevel' => {
'type' => 'int'
},
'samlSPMetaDataOptionsCheckSLOMessageSignature' => {
'default' => 1,
'type' => 'bool'
@ -3633,6 +3677,9 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.]
'default' => 1,
'type' => 'boolOrExpr'
},
'sfOnlyUpgrade' => {
'type' => 'bool'
},
'sfRemovedMsgRule' => {
'default' => 0,
'type' => 'boolOrExpr'
@ -3678,6 +3725,10 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.]
'default' => 0,
'type' => 'bool'
},
'skipUpgradeConfirmation' => {
'default' => 0,
'type' => 'bool'
},
'slaveAuthnLevel' => {
'default' => 2,
'type' => 'int'

68
lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm
View File

@ -491,6 +491,12 @@ sub attributes {
documentation => 'Display empty headers rule',
flags => 'p',
},
checkUserDisplayComputedSession => {
default => 1,
type => 'boolOrExpr',
documentation => 'Display empty headers rule',
flags => 'p',
},
globalLogoutRule => {
type => 'boolOrExpr',
default => 0,
@ -613,6 +619,12 @@ sub attributes {
documentation =>
'Avoid asking confirmation when an Issuer asks to renew auth',
},
skipUpgradeConfirmation => {
type => 'bool',
default => 0,
documentation =>
'Avoid asking confirmation during a session upgrade',
},
refreshSessions => {
type => 'bool',
documentation => 'Refresh sessions plugin',
@ -1466,6 +1478,11 @@ sub attributes {
type => 'bool',
documentation => 'Hide old password in portal',
},
passwordPolicyActivation => {
type => 'boolOrExpr',
default => 1,
documentation => 'Enable password policy',
},
passwordPolicyMinSize => {
default => 0,
type => 'int',
@ -1492,9 +1509,9 @@ sub attributes {
documentation => 'Password policy: minimal special characters',
},
passwordPolicySpecialChar => {
default => '! @ # $ % & * ( ) - = + [ ] { } ; : , . / ?',
default => '__ALL__',
type => 'text',
test => qr/^[\s\W_]*$/,
test => qr/^(?:__ALL__|[\S\W]*)$/,
documentation => 'Password policy: allowed special characters',
},
portalDisplayPasswordPolicy => {
@ -2316,6 +2333,11 @@ sub attributes {
type => 'text',
documentation => 'CAS User attribute',
},
casAppMetaDataOptionsAuthnLevel => {
type => 'int',
documentation =>
'Authentication level requires to access to this CAS application',
},
casAppMetaDataOptionsRule => {
type => 'text',
test => sub { return perlExpr(@_) },
@ -2927,6 +2949,11 @@ sub attributes {
type => 'bool',
default => 1,
},
samlSPMetaDataOptionsAuthnLevel => {
type => 'int',
documentation =>
'Authentication level requires to access to this SP',
},
samlSPMetaDataOptionsRule => {
type => 'text',
test => sub { return perlExpr(@_) },
@ -3022,6 +3049,11 @@ sub attributes {
help => 'secondfactor.html',
documentation => 'Second factor required',
},
sfOnlyUpgrade => {
type => 'bool',
help => 'secondfactor.html',
documentation => 'Only trigger second factor on session upgrade',
},
sfManagerRule => {
type => 'boolOrExpr',
default => 1,
@ -3263,6 +3295,27 @@ m{^(?:ldapi://[^/]*/?|\w[\w\-\.]*(?::\d{1,5})?|ldap(?:s|\+tls)?://\w[\w\-\.]*(?:
type => 'bool',
documentation => 'Support for IBM Tivoli Directory Server',
},
ldapVerify => {
type => 'bool',
documentation => 'Whether to validate LDAP certificates',
type => "select",
select => [
{ k => 'none', v => 'None' },
{ k => 'optional', v => 'Optional' },
{ k => 'require', v => 'Require' },
],
default => 'require',
},
ldapCAFile => {
type => 'text',
documentation =>
'Location of the certificate file for LDAP connections',
},
ldapCAPath => {
type => 'text',
documentation =>
'Location of the CA directory for LDAP connections',
},
# SSL
SSLAuthnLevel => {
@ -3465,7 +3518,11 @@ m{^(?:ldapi://[^/]*/?|\w[\w\-\.]*(?::\d{1,5})?|ldap(?:s|\+tls)?://\w[\w\-\.]*(?:
},
linkedInClientID => { type => 'text', },
linkedInClientSecret => { type => 'password', },
linkedInUserField => { type => 'text', default => 'emailAddress' },
linkedInFields => {
type => 'text',
default => 'id,first-name,last-name,email-address'
},
linkedInUserField => { type => 'text', default => 'emailAddress' },
linkedInScope =>
{ type => 'text', default => 'r_liteprofile r_emailaddress' },
@ -4073,6 +4130,11 @@ m{^(?:ldapi://[^/]*/?|\w[\w\-\.]*(?::\d{1,5})?|ldap(?:s|\+tls)?://\w[\w\-\.]*(?:
default => 0,
documentation => 'Issue refresh tokens',
},
oidcRPMetaDataOptionsAuthnLevel => {
type => 'int',
documentation =>
'Authentication level requires to access to this RP',
},
oidcRPMetaDataOptionsRule => {
type => 'text',
test => sub { return perlExpr(@_) },

3
lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/CTrees.pm
View File

@ -134,6 +134,7 @@ sub cTrees {
nodes => [
"samlSPMetaDataOptionsEncryptionMode",
"samlSPMetaDataOptionsEnableIDPInitiatedURL",
"samlSPMetaDataOptionsAuthnLevel",
"samlSPMetaDataOptionsRule",
]
}
@ -221,6 +222,7 @@ sub cTrees {
'oidcRPMetaDataOptionsRequirePKCE',
'oidcRPMetaDataOptionsAllowOffline',
'oidcRPMetaDataOptionsAllowPasswordGrant',
'oidcRPMetaDataOptionsAuthnLevel',
'oidcRPMetaDataOptionsRule',
]
},
@ -286,6 +288,7 @@ sub cTrees {
nodes => [
'casAppMetaDataOptionsService',
'casAppMetaDataOptionsUserAttribute',
'casAppMetaDataOptionsAuthnLevel',
'casAppMetaDataOptionsRule'
]
},

4
lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/PortalConstants.pm
View File

@ -108,7 +108,9 @@ sub portalConstants {
PE_RESETCERTIFICATE_FORMEMPTY => 98,
PE_RESETCERTIFICATE_FIRSTACCESS => 99,
PE_PP_NOT_ALLOWED_CHARACTER => 100,
PE_PP_NOT_ALLOWED_CHARACTERS => 101
PE_PP_NOT_ALLOWED_CHARACTERS => 101,
PE_UPGRADESESSION => 102,
PE_NO_SECOND_FACTORS => 103
};
}

31
lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Tree.pm
View File

@ -88,13 +88,21 @@ sub tree {
'portalRequireOldPassword',
'hideOldPassword',
'mailOnPasswordChange',
]
},
{
title => 'passwordPolicy',
help => 'portalcustom.html#password-policy',
form => 'simpleInputContainer',
nodes => [
'passwordPolicyActivation',
'portalDisplayPasswordPolicy',
'passwordPolicyMinSize',
'passwordPolicyMinLower',
'passwordPolicyMinUpper',
'passwordPolicyMinDigit',
'passwordPolicyMinSpeChar',
'passwordPolicySpecialChar',
'portalDisplayPasswordPolicy',
]
},
{
@ -257,10 +265,12 @@ sub tree {
help => 'authldap.html#connection',
form => 'simpleInputContainer',
nodes => [
'ldapServer', 'ldapPort',
'ldapBase', 'managerDn',
'managerPassword', 'ldapTimeout',
'ldapVersion', 'ldapRaw'
'ldapServer', 'ldapPort',
'ldapVerify', 'ldapBase',
'managerDn', 'managerPassword',
'ldapTimeout', 'ldapVersion',
'ldapRaw', 'ldapCAFile',
'ldapCAPath',
]
},
{
@ -311,8 +321,8 @@ sub tree {
form => 'simpleInputContainer',
nodes => [
'linkedInAuthnLevel', 'linkedInClientID',
'linkedInClientSecret', 'linkedInUserField',
'linkedInScope'
'linkedInClientSecret', 'linkedInFields',
'linkedInUserField', 'linkedInScope'
]
},
{
@ -755,6 +765,7 @@ sub tree {
'checkUserUnrestrictedUsersRule',
'checkUserHiddenAttributes',
'checkUserSearchAttributes',
'checkUserDisplayComputedSession',
'checkUserDisplayEmptyHeaders',
'checkUserDisplayEmptyValues',
'checkUserDisplayPersistentInfo',
@ -919,6 +930,7 @@ sub tree {
'sfRemovedNotifMsg',
],
},
'sfOnlyUpgrade',
'sfManagerRule',
'sfRequired',
]
@ -933,6 +945,7 @@ sub tree {
{
title => 'SMTP',
help => 'smtp.html',
form => 'SMTP',
nodes => [
'mailSessionKey',
'SMTPServer',
@ -1025,8 +1038,10 @@ sub tree {
help => 'redirections.html#portal-redirections',
form => 'simpleInputContainer',
nodes => [
'jsRedirect', 'noAjaxHook',
'jsRedirect',
'noAjaxHook',
'skipRenewConfirmation',
'skipUpgradeConfirmation',
]
},
'nginxCustomHandlers',

56
lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Conf.pm
View File

@ -11,6 +11,7 @@ use utf8;
use Mouse;
use Lemonldap::NG::Common::Conf::Constants;
use Lemonldap::NG::Common::UserAgent;
use Lemonldap::NG::Common::EmailTransport;
use Crypt::OpenSSL::RSA;
use Convert::PEM;
use URI::URL;
@ -58,9 +59,10 @@ sub init {
# New key and conf save
->addRoute(
confs => {
newRSAKey => 'newRSAKey',
raw => 'newRawConf',
'*' => 'newConf'
newRSAKey => 'newRSAKey',
sendTestMail => 'sendTestMail',
raw => 'newRawConf',
'*' => 'newConf'
},
['POST']
)
@ -119,6 +121,52 @@ sub newRSAKey {
return $self->sendJSONresponse( $req, $keys );
}
# Sending a test Email
# --------------------
##@method public PSGI-JSON-response sendTestMail($req)
# Sends a test email to the provided address
# The posted data must contain a JSON object containing
# {"dest":"target@example.com"}
#
#@param $req Lemonldap::NG::Common::PSGI::Request object
#@return PSGI JSON response
sub sendTestMail {
my ( $self, $req, @others ) = @_;
return $self->sendError( $req, 'There is no subkey for "sendTestMail"',
400 )
if (@others);
my $dest = $req->jsonBodyToObj->{dest};
unless ($dest) {
$self->logger->debug("Missing dest parameter for sending test mail");
return $self->sendJSONresponse(
$req,
{
success => \0,
error => "You must provide an email address"
}
);
}
my $conf = $self->confAcc->getConf();
# Try to send test Email
$self->logger->info("Sending test email to $dest");
eval {
Lemonldap::NG::Common::EmailTransport::sendTestMail( $conf, $dest );
};
my $error = $@;
my $success = ( $error ? 0 : 1 );
$self->logger->debug("Email was sent") unless $error;
return $self->sendJSONresponse(
$req,
{
success => \$success,
( $error ? ( error => $error ) : () )
}
);
}
# 36 - URL File loader
# ---------------
@ -229,7 +277,7 @@ sub newConf {
if ( $cfgNum ne $req->params('cfgNum') ) { $parser->confChanged(1); }
my $res = { result => $parser->check($self->p) };
my $res = { result => $parser->check( $self->p ) };
# "message" fields: note that words enclosed by "__" (__word__) will be
# translated

26
lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Conf/Tests.pm
View File

@ -302,35 +302,17 @@ sub tests {
},
# Test SMTP connection and authentication (warning only)
smtpConnectionAuthentication => sub {
smtpConfiguration => sub {
# Skip test if no SMTP configuration
return 1 unless ( $conf->{SMTPServer} );
# Use SMTP
eval "use Net::SMTP";
return ( 1, "Net::SMTP module is required to use SMTP server" )
eval "use Lemonldap::NG::Common::EmailTransport";
return ( 1, "Could not load Lemonldap::NG::Common::EmailTransport" )
if ($@);
# Create SMTP object
my $smtp = Net::SMTP->new(
$conf->{SMTPServer},
Timeout => 5,
( $conf->{SMTPPort} ? ( Port => $conf->{SMTPPort} ) : () ),
);
return ( 1,
"SMTP connection to " . $conf->{SMTPServer} . " failed" )
unless ($smtp);
# Skip other tests if no authentication
return 1
unless ( $conf->{SMTPAuthUser} and $conf->{SMTPAuthPass} );
# Try authentication
return ( 1, "SMTP authentication failed" )
unless $smtp->auth( $conf->{SMTPAuthUser},
$conf->{SMTPAuthPass} );
return 1;
return Lemonldap::NG::Common::EmailTransport->configTest($conf);
},
# SAML entity ID must be unique

29
lemonldap-ng-manager/site/coffee/manager.coffee
View File

@ -661,6 +661,35 @@ llapp.controller 'TreeCtrl', [
# virtualHost
return if node.type and node.type.match /^(?:s(?:aml(?:(?:ID|S)PMetaDataNod|Attribut)e|fExtra)|(?:(?:cmbMod|r)ul|authChoic)e|(?:virtualHos|keyTex)t|menu(?:App|Cat))$/ then true else false
# Send test Email
$scope.sendTestMail = ->
$scope.message =
title: 'sendTestMail'
field: 'dest'
$scope.showModal('prompt.html').then ->
n= $scope.result
$scope.waiting = true
dest = $scope.result
$http.post("#{window.confPrefix}/sendTestMail", {"dest": dest}).then (response) ->
success = response.data.success
error = response.data.error
$scope.waiting = false
if success
$scope.message =
title: 'ok'
message: '__sendTestMailSuccess__'
items: []
else
$scope.message =
title: 'error'
message: error
items: []
$scope.showModal 'message.html'
, readError
, ->
console.log('Error sending test email')
# RSA keys generation
$scope.newRSAKey = ->
$scope.showModal('password.html').then ->

12
lemonldap-ng-manager/site/htdocs/static/forms/SMTP.html Normal file
View File

@ -0,0 +1,12 @@
<div class="panel panel-default">
<div class="panel-heading">
<h3 class="panel-title">{{translateTitle(currentNode)}}</h3>
</div>
</div>
<script type="text/menu">
[{
"title": "sendTestMail",
"action": "sendTestMail",
"icon": "envelope"
}]
</script>

18
lemonldap-ng-manager/site/htdocs/static/js/conftree.js
View File

@ -48,6 +48,12 @@ function templates(tpl,key) {
"id" : tpl+"s/"+key+"/"+"casAppMetaDataOptionsUserAttribute",
"title" : "casAppMetaDataOptionsUserAttribute"
},
{
"get" : tpl+"s/"+key+"/"+"casAppMetaDataOptionsAuthnLevel",
"id" : tpl+"s/"+key+"/"+"casAppMetaDataOptionsAuthnLevel",
"title" : "casAppMetaDataOptionsAuthnLevel",
"type" : "int"
},
{
"get" : tpl+"s/"+key+"/"+"casAppMetaDataOptionsRule",
"id" : tpl+"s/"+key+"/"+"casAppMetaDataOptionsRule",
@ -535,6 +541,12 @@ function templates(tpl,key) {
"title" : "oidcRPMetaDataOptionsAllowPasswordGrant",
"type" : "bool"
},
{
"get" : tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsAuthnLevel",
"id" : tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsAuthnLevel",
"title" : "oidcRPMetaDataOptionsAuthnLevel",
"type" : "int"
},
{
"get" : tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsRule",
"id" : tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsRule",
@ -1153,6 +1165,12 @@ function templates(tpl,key) {
"title" : "samlSPMetaDataOptionsEnableIDPInitiatedURL",
"type" : "bool"
},
{
"get" : tpl+"s/"+key+"/"+"samlSPMetaDataOptionsAuthnLevel",
"id" : tpl+"s/"+key+"/"+"samlSPMetaDataOptionsAuthnLevel",
"title" : "samlSPMetaDataOptionsAuthnLevel",
"type" : "int"
},
{
"get" : tpl+"s/"+key+"/"+"samlSPMetaDataOptionsRule",
"id" : tpl+"s/"+key+"/"+"samlSPMetaDataOptionsRule",

2
lemonldap-ng-manager/site/htdocs/static/js/conftree.min.js vendored
View File

File diff suppressed because one or more lines are too long

2
lemonldap-ng-manager/site/htdocs/static/js/conftree.min.js.map
View File

File diff suppressed because one or more lines are too long

36
lemonldap-ng-manager/site/htdocs/static/js/manager.js
View File

@ -805,6 +805,42 @@ This file contains:
return false;
}
};
$scope.sendTestMail = function() {
$scope.message = {
title: 'sendTestMail',
field: 'dest'
};
return $scope.showModal('prompt.html').then(function() {
var dest, n;
n = $scope.result;
$scope.waiting = true;
dest = $scope.result;
return $http.post(window.confPrefix + "/sendTestMail", {
"dest": dest
}).then(function(response) {
var error, success;
success = response.data.success;
error = response.data.error;
$scope.waiting = false;
if (success) {
$scope.message = {
title: 'ok',
message: '__sendTestMailSuccess__',
items: []
};
} else {
$scope.message = {
title: 'error',
message: error,
items: []
};
}
return $scope.showModal('message.html');
}, readError);
}, function() {
return console.log('Error sending test email');
});
};
$scope.newRSAKey = function() {
return $scope.showModal('password.html').then(function() {
var currentNode, password;

2
lemonldap-ng-manager/site/htdocs/static/js/manager.min.js vendored
View File

File diff suppressed because one or more lines are too long

2
lemonldap-ng-manager/site/htdocs/static/js/manager.min.js.map
View File

File diff suppressed because one or more lines are too long

16
lemonldap-ng-manager/site/htdocs/static/languages/ar.json
View File

@ -122,6 +122,7 @@
"casAppMetaDataNodes":"تطبيق كاس",
"casAppMetaDataOptions":"خيارات",
"casAppMetaDataOptionsService":"خدمة أل يو أر ل",
"casAppMetaDataOptionsAuthnLevel":"مستوى إثبات الهوية",
"casAppMetaDataOptionsRule":"القاعدة",
"casAppMetaDataMacros":"ماكرو",
"casAppMetaDataOptionsUserAttribute":"خاصّيّة المستخدم",
@ -193,7 +194,8 @@
"checkUserIdRule":"Identities use rule",
"checkUserHiddenAttributes":"السمات المخفية",
"checkUserUnrestrictedUsersRule":"Unrestricted users rule",
"checkUserDisplayPersistentInfo":"Display persistent session",
"checkUserDisplayComputedSession":"Display computed sessions",
"checkUserDisplayPersistentInfo":"Display persistent session data",
"checkUserDisplayEmptyHeaders":"Display empty headers",
"checkUserDisplayEmptyValues":"Display empty values",
"checkUserSearchAttributes":"Attributes used for searching sessions",
@ -271,6 +273,7 @@
"demoExportedVars":"المتغيرات المصدرة",
"demoParams":"إثبات المعايير",
"description":"التفاصيل",
"dest":"Recipient",
"diffViewer":"المشاهد المختلف",
"diffWithPrevious":"الفرق مع السابق",
"disabled":"معطلة",
@ -414,6 +417,8 @@
"ldapAllowResetExpiredPassword":"السماح بإعادة تعيين كلمة مرور منتهية الصلاحية",
"ldapAuthnLevel":"مستوى إثبات الهوية",
"ldapBase":"قاعدة بحث المستخدمين",
"ldapCAFile":"CA file path",
"ldapCAPath":"CA directory path",
"ldapChangePasswordAsUser":"تغيير كمستخدم",
"ldapConnection":"الاتصال",
"ldapExportedVars":"المتغيرات المصدرة",
@ -442,6 +447,7 @@
"ldapSetPassword":"تعديل كلمة المرور مع عملية موسعة",
"ldapTimeout":"مهلة",
"ldapUsePasswordResetAttribute":"استخدام سمة إعادة الضبط",
"ldapVerify":"Verify LDAP server certificate",
"ldapVersion":"الإصدار",
"level":"Level",
"linkedInAuthnLevel":"مستوى إثبات الهوية",
@ -595,6 +601,7 @@
"oidcOPMetaDataOptionsProtocol":"بروتوكول",
"oidcRPMetaDataOptionsPublic":"Public client",
"oidcRPMetaDataOptionsRequirePKCE":"Require PKCE",
"oidcRPMetaDataOptionsAuthnLevel":"مستوى إثبات الهوية",
"oidcRPMetaDataOptionsRule":"قاعدة الدخول",
"oidcRPMetaDataMacros":"ماكرو",
"oidcOPMetaDataOptionsScope":"نطاق",
@ -696,6 +703,8 @@
"password":"كلمة المرور",
"passwordDB":"وحدة كلمة المرور",
"passwordManagement":"إدارة كلمة المرور",
"passwordPolicy":"Password policy",
"passwordPolicyActivation":"تفعيل",
"passwordPolicyMinSize":"Minimal size",
"passwordPolicyMinLower":"Minimal lower characters",
"passwordPolicyMinUpper":"Minimal upper characters",
@ -835,6 +844,8 @@
"secondFactors":"Second factors",
"securedCookie":"ملفات تعريف الارتباط المضمونة (سسل)",
"security":"الحماية",
"sendTestMail":"Send test email",
"sendTestMailSuccess":"Test email successfully sent",
"serverError":"خطأ في جهاز الخادم",
"session":"جلسة",
"sessions":"الجلسات",
@ -849,6 +860,7 @@
"sfaTitle":"Second factors authentication",
"sfExtra":"Additional second factors",
"sfManagerRule":"Display Manager link",
"sfOnlyUpgrade":"Use 2FA for session upgrade",
"sfRequired":"Force 2FA registration at login",
"sfRemovedNotification":"Warn if an expired 2FA is removed",
"sfRemovedMsgRule":"تفعيل",
@ -864,6 +876,7 @@
"singleSession":"One session per user",
"singleUserByIP":"مستخدم واحد لكل عنوان آي بي",
"skipRenewConfirmation":"Skip re-auth confirmation",
"skipUpgradeConfirmation":"Skip upgrade confirmation",
"slaveAuthnLevel":"مستوى إثبات الهوية",
"slaveDisplayLogo":"Display authentication logo",
"slaveExportedVars":"المتغيرات المصدرة",
@ -1076,6 +1089,7 @@
"samlSPMetaDataOptionsSessionNotOnOrAfterTimeout":"جلسة ليست مع أو بعد المدة",
"samlSPMetaDataOptionsNotOnOrAfterTimeout":"ليس على أو بعد المدة",
"samlSPMetaDataOptionsForceUTF8":"فرضUTF-8 ",
"samlSPMetaDataOptionsAuthnLevel":"مستوى إثبات الهوية",
"samlSPMetaDataOptionsRule":"قاعدة الدخول",
"samlSPMetaDataMacros":"ماكرو",
"samlIDPName":"اسم SAML IDP",

18
lemonldap-ng-manager/site/htdocs/static/languages/de.json
View File

@ -122,6 +122,7 @@
"casAppMetaDataNodes":"CAS Applikationen",
"casAppMetaDataOptions":"Optionen",
"casAppMetaDataOptionsService":"Service URL",
"casAppMetaDataOptionsAuthnLevel":"Authentication level",
"casAppMetaDataOptionsRule":"Regel",
"casAppMetaDataMacros":"Macros",
"casAppMetaDataOptionsUserAttribute":"User attribute",
@ -193,7 +194,8 @@
"checkUserIdRule":"Identities use rule",
"checkUserHiddenAttributes":"Hidden attributes",
"checkUserUnrestrictedUsersRule":"Unrestricted users rule",
"checkUserDisplayPersistentInfo":"Display persistent session",
"checkUserDisplayComputedSession":"Display computed sessions",
"checkUserDisplayPersistentInfo":"Display persistent session data",
"checkUserDisplayEmptyHeaders":"Display empty headers",
"checkUserDisplayEmptyValues":"Display empty values",
"checkUserSearchAttributes":"Attributes used for searching sessions",
@ -271,6 +273,7 @@
"demoExportedVars":"Exported variables",
"demoParams":"Demonstration parameters",
"description":"Beschreibung",
"dest":"Recipient",
"diffViewer":"Difference viewer",
"diffWithPrevious":"difference with previous",
"disabled":"Disabled",
@ -414,6 +417,8 @@
"ldapAllowResetExpiredPassword":"Allow to reset an expired password",
"ldapAuthnLevel":"Authentication level",
"ldapBase":"Users search base",
"ldapCAFile":"CA file path",
"ldapCAPath":"CA directory path",
"ldapChangePasswordAsUser":"Change as user",
"ldapConnection":"Connection",
"ldapExportedVars":"Exported variables",
@ -442,6 +447,7 @@
"ldapSetPassword":"Password modify extended operation",
"ldapTimeout":"Timeout",
"ldapUsePasswordResetAttribute":"Use reset attribute",
"ldapVerify":"Verify LDAP server certificate",
"ldapVersion":"Version",
"level":"Level",
"linkedInAuthnLevel":"Authentication level",
@ -595,6 +601,7 @@
"oidcOPMetaDataOptionsProtocol":"Protocol",
"oidcRPMetaDataOptionsPublic":"Public client",
"oidcRPMetaDataOptionsRequirePKCE":"Require PKCE",
"oidcRPMetaDataOptionsAuthnLevel":"Authentication level",
"oidcRPMetaDataOptionsRule":"Access rule",
"oidcRPMetaDataMacros":"Macros",
"oidcOPMetaDataOptionsScope":"Scope",
@ -696,6 +703,8 @@
"password":"Password",
"passwordDB":"Password module",
"passwordManagement":"Password management",
"passwordPolicy":"Password policy",
"passwordPolicyActivation":"Activation",
"passwordPolicyMinSize":"Minimal size",
"passwordPolicyMinLower":"Minimal lower characters",
"passwordPolicyMinUpper":"Minimal upper characters",
@ -835,6 +844,8 @@
"secondFactors":"Second factors",
"securedCookie":"Secured Cookie (SSL)",
"security":"Security",
"sendTestMail":"Send test email",
"sendTestMailSuccess":"Test email successfully sent",
"serverError":"Server error",
"session":"session",
"sessions":"Sessions",
@ -849,6 +860,7 @@
"sfaTitle":"Second factors authentication",
"sfExtra":"Additional second factors",
"sfManagerRule":"Display Manager link",
"sfOnlyUpgrade":"Use 2FA for session upgrade",
"sfRequired":"Force 2FA registration at login",
"sfRemovedNotification":"Warn if an expired 2FA is removed",
"sfRemovedMsgRule":"Activation",
@ -864,6 +876,7 @@
"singleSession":"One session per user",
"singleUserByIP":"One user per IP address",
"skipRenewConfirmation":"Skip re-auth confirmation",
"skipUpgradeConfirmation":"Skip upgrade confirmation",
"slaveAuthnLevel":"Authentication level",
"slaveDisplayLogo":"Display authentication logo",
"slaveExportedVars":"Exported variables",
@ -1076,6 +1089,7 @@
"samlSPMetaDataOptionsSessionNotOnOrAfterTimeout":"sessionNotOnOrAfter duration",
"samlSPMetaDataOptionsNotOnOrAfterTimeout":"notOnOrAfter duration",
"samlSPMetaDataOptionsForceUTF8":"Force UTF-8",
"samlSPMetaDataOptionsAuthnLevel":"Authentication level",
"samlSPMetaDataOptionsRule":"Access rule",
"samlSPMetaDataMacros":"Macros",
"samlIDPName":"SAML IDP Name",
@ -1143,4 +1157,4 @@
"samlRelayStateTimeout":"RelayState session timeout",
"samlUseQueryStringSpecific":"Use specific query_string method",
"samlOverrideIDPEntityID":"Override Entity ID when acting as IDP"
}
}

16
lemonldap-ng-manager/site/htdocs/static/languages/en.json
View File

@ -122,6 +122,7 @@
"casAppMetaDataNodes":"CAS Applications",
"casAppMetaDataOptions":"Options",
"casAppMetaDataOptionsService":"Service URL",
"casAppMetaDataOptionsAuthnLevel":"Authentication level",
"casAppMetaDataOptionsRule":"Rule",
"casAppMetaDataMacros":"Macros",
"casAppMetaDataOptionsUserAttribute":"User attribute",
@ -193,7 +194,8 @@
"checkUserIdRule":"Identities use rule",
"checkUserHiddenAttributes":"Hidden attributes",
"checkUserUnrestrictedUsersRule":"Unrestricted users rule",
"checkUserDisplayPersistentInfo":"Display persistent session",
"checkUserDisplayComputedSession":"Display computed sessions",
"checkUserDisplayPersistentInfo":"Display persistent session data",
"checkUserDisplayEmptyHeaders":"Display empty headers",
"checkUserDisplayEmptyValues":"Display empty values",
"checkUserSearchAttributes":"Attributes used for searching sessions",
@ -271,6 +273,7 @@
"demoExportedVars":"Exported variables",
"demoParams":"Demonstration parameters",
"description":"Description",
"dest":"Recipient",
"diffViewer":"Difference viewer",
"diffWithPrevious":"difference with previous",
"disabled":"Disabled",
@ -414,6 +417,8 @@
"ldapAllowResetExpiredPassword":"Allow to reset an expired password",
"ldapAuthnLevel":"Authentication level",
"ldapBase":"Users search base",
"ldapCAFile": "CA file path",
"ldapCAPath": "CA directory path",
"ldapChangePasswordAsUser":"Change as user",
"ldapConnection":"Connection",
"ldapExportedVars":"Exported variables",
@ -442,6 +447,7 @@
"ldapSetPassword":"Password modify extended operation",
"ldapTimeout":"Timeout",
"ldapUsePasswordResetAttribute":"Use reset attribute",
"ldapVerify":"Verify LDAP server certificate",
"ldapVersion":"Version",
"level":"Level",
"linkedInAuthnLevel":"Authentication level",
@ -595,6 +601,7 @@
"oidcOPMetaDataOptionsProtocol":"Protocol",
"oidcRPMetaDataOptionsPublic":"Public client",
"oidcRPMetaDataOptionsRequirePKCE":"Require PKCE",
"oidcRPMetaDataOptionsAuthnLevel":"Authentication level",
"oidcRPMetaDataOptionsRule":"Access rule",
"oidcRPMetaDataMacros":"Macros",
"oidcOPMetaDataOptionsScope":"Scope",
@ -696,6 +703,8 @@
"password":"Password",
"passwordDB":"Password module",
"passwordManagement":"Password management",
"passwordPolicy":"Password policy",
"passwordPolicyActivation":"Activation",
"passwordPolicyMinSize": "Minimal size",
"passwordPolicyMinLower": "Minimal lower characters",
"passwordPolicyMinUpper": "Minimal upper characters",
@ -835,6 +844,8 @@
"secondFactors":"Second factors",
"securedCookie":"Secured Cookie (SSL)",
"security":"Security",
"sendTestMail":"Send test email",
"sendTestMailSuccess":"Test email successfully sent",
"serverError":"Server error",
"session":"session",
"sessions":"Sessions",
@ -849,6 +860,7 @@
"sfaTitle":"Second factors authentication",
"sfExtra":"Additional second factors",
"sfManagerRule":"Display Manager link",
"sfOnlyUpgrade": "Use 2FA for session upgrade",
"sfRequired":"Force 2FA registration at login",
"sfRemovedNotification":"Warn if an expired 2FA is removed",
"sfRemovedMsgRule":"Activation",
@ -864,6 +876,7 @@
"singleSession":"One session per user",
"singleUserByIP":"One user per IP address",
"skipRenewConfirmation":"Skip re-auth confirmation",
"skipUpgradeConfirmation":"Skip upgrade confirmation",
"slaveAuthnLevel":"Authentication level",
"slaveDisplayLogo":"Display authentication logo",
"slaveExportedVars":"Exported variables",
@ -1076,6 +1089,7 @@
"samlSPMetaDataOptionsSessionNotOnOrAfterTimeout":"sessionNotOnOrAfter duration",
"samlSPMetaDataOptionsNotOnOrAfterTimeout":"notOnOrAfter duration",
"samlSPMetaDataOptionsForceUTF8":"Force UTF-8",
"samlSPMetaDataOptionsAuthnLevel":"Authentication level",
"samlSPMetaDataOptionsRule":"Access rule",
"samlSPMetaDataMacros":"Macros",
"samlIDPName":"SAML IDP Name",

14
lemonldap-ng-manager/site/htdocs/static/languages/fr.json
View File

@ -122,6 +122,7 @@
"casAppMetaDataNodes":"Applications CAS",
"casAppMetaDataOptions":"Options",
"casAppMetaDataOptionsService":"URL du service",
"casAppMetaDataOptionsAuthnLevel":"Niveau d'authentification",
"casAppMetaDataOptionsRule":"Règle",
"casAppMetaDataMacros":"Macros",
"casAppMetaDataOptionsUserAttribute":"Attribut de l'utilisateur",
@ -193,6 +194,7 @@
"checkUserIdRule":"Règle d'utilisation des identités",
"checkUserHiddenAttributes":"Attributs masqués",
"checkUserUnrestrictedUsersRule":"Règle des utilisateurs non restreints",
"checkUserDisplayComputedSession":"Afficher les sessions évaluées",
"checkUserDisplayPersistentInfo":"Afficher les données de session persistante",
"checkUserDisplayEmptyHeaders":"Afficher les entêtes nuls",
"checkUserDisplayEmptyValues":"Afficher les valeurs nulles",
@ -271,6 +273,7 @@
"demoExportedVars":"Variables exportées",
"demoParams":"Paramètres démonstration",
"description":"Description",
"dest":"Destinataire",
"diffViewer":"Visualisateur de différence",
"diffWithPrevious":"différence avec la précédente",
"disabled":"Désactivé",
@ -414,6 +417,8 @@
"ldapAllowResetExpiredPassword":"Autoriser le changement de mot de passe expiré",
"ldapAuthnLevel":"Niveau d'authentification",
"ldapBase":"Base de recherche des utilisateurs",
"ldapCAFile": "Autorité de certification (fichier)",
"ldapCAPath": "Autorité de certification (répertoire)",
"ldapChangePasswordAsUser":"Changement en tant qu'utilisateur",
"ldapConnection":"Connexion",
"ldapExportedVars":"Variables exportées",
@ -442,6 +447,7 @@
"ldapSetPassword":"Opération étendue password modify",
"ldapTimeout":"Temps maximum d'inactivité",
"ldapUsePasswordResetAttribute":"Utiliser l'attribut de réinitialisation",
"ldapVerify":"Vérifier le certificat du serveur LDAP",
"ldapVersion":"Version",
"level":"Niveau",
"linkedInAuthnLevel":"Niveau d'authentification",
@ -595,6 +601,7 @@
"oidcOPMetaDataOptionsProtocol":"Protocole",
"oidcRPMetaDataOptionsPublic":"Client public",
"oidcRPMetaDataOptionsRequirePKCE":"PKCE requis",
"oidcRPMetaDataOptionsAuthnLevel":"Niveau d'authentification",
"oidcRPMetaDataOptionsRule":"Règle d'accès",
"oidcRPMetaDataMacros":"Macros",
"oidcOPMetaDataOptionsScope":"Étendue",
@ -696,6 +703,8 @@
"password":"Mot-de-passe",
"passwordDB":"Module de mot de passe",
"passwordManagement":"Gestion des mots de passe",
"passwordPolicy":"Politique des mots de passe",
"passwordPolicyActivation":"Activation",
"passwordPolicyMinSize": "Taille minimale",
"passwordPolicyMinLower": "Minimum de minuscules",
"passwordPolicyMinUpper": "Minimum de majuscules",
@ -835,6 +844,8 @@
"secondFactors":"Seconds facteurs",
"securedCookie":"Cookie sécurisé (HTTPS)",
"security":"Sécurité",
"sendTestMail":"Test envoi de mail",
"sendTestMailSuccess":"Envoi du mail de test réussi",
"serverError":"Erreur du serveur",
"session":"session",
"sessions":"Sessions",
@ -849,6 +860,7 @@
"sfaTitle":"Seconds facteurs d'authentification",
"sfExtra":"Seconds facteurs additionnels",
"sfManagerRule":"Afficher le lien du Gestionnaire",
"sfOnlyUpgrade": "Utiliser le second facteur pour augmenter le niveau d'authentification",
"sfRequired":"Exiger l'enrôlement d'un SF à l'authentification",
"sfRemovedNotification":"Avertir si un SF expiré est supprimé",
"sfRemovedMsgRule":"Activation",
@ -864,6 +876,7 @@
"singleSession":"Une seule session par utilisateur",
"singleUserByIP":"Un seul utilisateur par adresse IP",
"skipRenewConfirmation":"Éviter la confirmation de ré-authentification",
"skipUpgradeConfirmation":"Éviter la confirmation d'élévation du niveau d'authentification",
"slaveAuthnLevel":"Niveau d'authentification",
"slaveDisplayLogo":"Afficher le logo d'authentification",
"slaveExportedVars":"Variables exportées",
@ -1076,6 +1089,7 @@
"samlSPMetaDataOptionsSessionNotOnOrAfterTimeout":"Durée sessionNotOnOrAfter",
"samlSPMetaDataOptionsNotOnOrAfterTimeout":"Durée notOnOrAfter",
"samlSPMetaDataOptionsForceUTF8":"Forcer l'UTF-8",
"samlSPMetaDataOptionsAuthnLevel":"Niveau d'authentification",
"samlSPMetaDataOptionsRule":"Règle d'accès",
"samlSPMetaDataMacros":"Macros",
"samlIDPName":"Nom du fournisseur d'identité SAML",

18
lemonldap-ng-manager/site/htdocs/static/languages/it.json
View File

@ -122,6 +122,7 @@
"casAppMetaDataNodes":"Applicazioni CAS",
"casAppMetaDataOptions":"Opzioni",
"casAppMetaDataOptionsService":"URL del servizio",
"casAppMetaDataOptionsAuthnLevel":"Livello di autenticazione",
"casAppMetaDataOptionsRule":"Regola",
"casAppMetaDataMacros":"Macro",
"casAppMetaDataOptionsUserAttribute":"Attributo utente",
@ -193,7 +194,8 @@
"checkUserIdRule":"Uso della regola delle identità",
"checkUserHiddenAttributes":"Attributi nascosti",
"checkUserUnrestrictedUsersRule":"Unrestricted users rule",
"checkUserDisplayPersistentInfo":"Mostra sessione persistente",
"checkUserDisplayComputedSession":"Display computed sessions",
"checkUserDisplayPersistentInfo":"Display persistent session data",
"checkUserDisplayEmptyHeaders":"Display empty headers",
"checkUserDisplayEmptyValues":"Mostra valori vuoti",
"checkUserSearchAttributes":"Attributes used for searching sessions",
@ -271,6 +273,7 @@
"demoExportedVars":"Variabili esportate",
"demoParams":"Parametri di dimostrazione",
"description":"Descrizione",
"dest":"Recipient",
"diffViewer":"Visualizzatore di differenza",
"diffWithPrevious":"differenza con il precedente",
"disabled":"Disabilitato",
@ -414,6 +417,8 @@
"ldapAllowResetExpiredPassword":"Consenti di reimpostare una password scaduta",
"ldapAuthnLevel":"Livello di autenticazione",
"ldapBase":"Base di ricerca degli utenti",
"ldapCAFile":"CA file path",
"ldapCAPath":"CA directory path",
"ldapChangePasswordAsUser":"Cambia come utente",
"ldapConnection":"Connessione",
"ldapExportedVars":"Variabili esportate",
@ -442,6 +447,7 @@
"ldapSetPassword":"Operazione prolungata di modifica password",
"ldapTimeout":"Timeout",
"ldapUsePasswordResetAttribute":"Utilizza l'attributo di ripristino",
"ldapVerify":"Verify LDAP server certificate",
"ldapVersion":"Versione",
"level":"Livello",
"linkedInAuthnLevel":"Livello di autenticazione",
@ -595,6 +601,7 @@
"oidcOPMetaDataOptionsProtocol":"Protocollo",
"oidcRPMetaDataOptionsPublic":"Cliente pubblico",
"oidcRPMetaDataOptionsRequirePKCE":"Richiedi PKCE",
"oidcRPMetaDataOptionsAuthnLevel":"Livello di autenticazione",
"oidcRPMetaDataOptionsRule":"Regola di accesso",
"oidcRPMetaDataMacros":"Macro",
"oidcOPMetaDataOptionsScope":"Scopo",
@ -696,6 +703,8 @@
"password":"Password",
"passwordDB":"Modulo password",
"passwordManagement":"Gestione password",
"passwordPolicy":"Password policy",
"passwordPolicyActivation":"Attivazione",
"passwordPolicyMinSize":"Minimal size",
"passwordPolicyMinLower":"Minimal lower characters",
"passwordPolicyMinUpper":"Minimal upper characters",
@ -835,6 +844,8 @@
"secondFactors":"Secondi fattori",
"securedCookie":"Cookie protetti (SSL)",
"security":"Sicurezza",
"sendTestMail":"Send test email",
"sendTestMailSuccess":"Test email successfully sent",
"serverError":"Errore del server",
"session":"sessione",
"sessions":"Sessioni",
@ -849,6 +860,7 @@
"sfaTitle":"Autenticazione a due fattori",
"sfExtra":"Additional second factors",
"sfManagerRule":"Display Manager link",
"sfOnlyUpgrade":"Use 2FA for session upgrade",
"sfRequired":"Force 2FA registration at login",
"sfRemovedNotification":"Warn if an expired 2FA is removed",
"sfRemovedMsgRule":"Attivazione",
@ -864,6 +876,7 @@
"singleSession":"One session per user",
"singleUserByIP":"One user per IP address",
"skipRenewConfirmation":"Salta la conferma di re-auth",
"skipUpgradeConfirmation":"Skip upgrade confirmation",
"slaveAuthnLevel":"Livello di autenticazione",
"slaveDisplayLogo":"Display authentication logo",
"slaveExportedVars":"Variabili esportate",
@ -1076,6 +1089,7 @@
"samlSPMetaDataOptionsSessionNotOnOrAfterTimeout":"Durata sessionNotOnOrAfter ",
"samlSPMetaDataOptionsNotOnOrAfterTimeout":"Durata di notOnOrAfter ",
"samlSPMetaDataOptionsForceUTF8":"Forza UTF-8",
"samlSPMetaDataOptionsAuthnLevel":"Livello di autenticazione",
"samlSPMetaDataOptionsRule":"Regola di accesso",
"samlSPMetaDataMacros":"Macro",
"samlIDPName":"Nome di SAML IDP ",
@ -1143,4 +1157,4 @@
"samlRelayStateTimeout":"Timeout di sessione di RelayState",
"samlUseQueryStringSpecific":"Utilizza il metodo specifico query_string",
"samlOverrideIDPEntityID":"Sostituisci l'ID entità quando agisce come IDP"
}
}

16
lemonldap-ng-manager/site/htdocs/static/languages/pl.json
View File

@ -122,6 +122,7 @@
"casAppMetaDataNodes":"Aplikacje CAS",
"casAppMetaDataOptions":"Opcje",
"casAppMetaDataOptionsService":"URL usługi",
"casAppMetaDataOptionsAuthnLevel":"Poziom uwierzytelnienia",
"casAppMetaDataOptionsRule":"Reguła",
"casAppMetaDataMacros":"Makra",
"casAppMetaDataOptionsUserAttribute":"Atrybut użytkownika",
@ -193,7 +194,8 @@
"checkUserIdRule":"Reguła korzystania z tożsamości",
"checkUserHiddenAttributes":"Ukryte atrybuty",
"checkUserUnrestrictedUsersRule":"Reguła nieograniczonych użytkowników",
"checkUserDisplayPersistentInfo":"Wyświetl trwałą sesję",
"checkUserDisplayComputedSession":"Display computed sessions",
"checkUserDisplayPersistentInfo":"Display persistent session data",
"checkUserDisplayEmptyHeaders":"Wyświetl puste nagłówki",
"checkUserDisplayEmptyValues":"Wyświetl puste wartości",
"checkUserSearchAttributes":"Atrybuty używane do wyszukiwania sesji",
@ -271,6 +273,7 @@
"demoExportedVars":"Wyeksportowane zmienne",
"demoParams":"Parametry demonstracyjne",
"description":"Opis",
"dest":"Recipient",
"diffViewer":"Przeglądarka różnic",
"diffWithPrevious":"różnica w stosunku do poprzednich",
"disabled":"Wyłączone",
@ -414,6 +417,8 @@
"ldapAllowResetExpiredPassword":"Pozwól resetować wygasłe hasło",
"ldapAuthnLevel":"Poziom uwierzytelnienia",
"ldapBase":"Baza wyszukiwania użytkowników",
"ldapCAFile":"CA file path",
"ldapCAPath":"CA directory path",
"ldapChangePasswordAsUser":"Zmień jako użytkownik",
"ldapConnection":"Połączenie",
"ldapExportedVars":"Wyeksportowane zmienne",
@ -442,6 +447,7 @@
"ldapSetPassword":"Rozszerzona operacja modyfikacji hasła",
"ldapTimeout":"Limit czasu",
"ldapUsePasswordResetAttribute":"Użyj atrybutu reset",
"ldapVerify":"Verify LDAP server certificate",
"ldapVersion":"Wersja",
"level":"Poziom",
"linkedInAuthnLevel":"Poziom uwierzytelnienia",
@ -595,6 +601,7 @@
"oidcOPMetaDataOptionsProtocol":"Protokół",
"oidcRPMetaDataOptionsPublic":"Klient publiczny",
"oidcRPMetaDataOptionsRequirePKCE":"Wymagaj PKCE",
"oidcRPMetaDataOptionsAuthnLevel":"Poziom uwierzytelnienia",
"oidcRPMetaDataOptionsRule":"Reguła dostępu",
"oidcRPMetaDataMacros":"Makra",
"oidcOPMetaDataOptionsScope":"Zakres",
@ -696,6 +703,8 @@
"password":"Hasło",
"passwordDB":"Moduł hasła",
"passwordManagement":"Zarządzanie hasłami",
"passwordPolicy":"Password policy",
"passwordPolicyActivation":"Aktywacja",
"passwordPolicyMinSize":"Minimalny rozmiar",
"passwordPolicyMinLower":"Minimalna liczba małych liter",
"passwordPolicyMinUpper":"Minimalna liczba dużych liter",
@ -835,6 +844,8 @@
"secondFactors":"Drugi czynnik",
"securedCookie":"Bezpieczne pliki cookie (SSL)",
"security":"Bezpieczeństwo",
"sendTestMail":"Send test email",
"sendTestMailSuccess":"Test email successfully sent",
"serverError":"Błąd serwera",
"session":"sesja",
"sessions":"Sesje",
@ -849,6 +860,7 @@
"sfaTitle":"Drugi czynnik uwierzytelniania",
"sfExtra":"Dodatkowe drugie czynniki",
"sfManagerRule":"Link do Menedżera wyświetlania",
"sfOnlyUpgrade":"Use 2FA for session upgrade",
"sfRequired":"Wymuś rejestrację 2FA przy logowaniu",
"sfRemovedNotification":"Ostrzeż, gdy przeterminowany 2FA został usunięty",
"sfRemovedMsgRule":"Aktywacja",
@ -864,6 +876,7 @@
"singleSession":"Jedna sesja na użytkownika",
"singleUserByIP":"Jeden użytkownik na adres IP",
"skipRenewConfirmation":"Pomiń potwierdzenie ponownego uwierzytelnienia",
"skipUpgradeConfirmation":"Skip upgrade confirmation",
"slaveAuthnLevel":"Poziom uwierzytelnienia",
"slaveDisplayLogo":"Wyświetl logo uwierzytelniające",
"slaveExportedVars":"Wyeksportowane zmienne",
@ -1076,6 +1089,7 @@
"samlSPMetaDataOptionsSessionNotOnOrAfterTimeout":"czas trwania sessionNotOnOrAfter",
"samlSPMetaDataOptionsNotOnOrAfterTimeout":"czas trwania notOnOrAfter",
"samlSPMetaDataOptionsForceUTF8":"Wymuś UTF-8",
"samlSPMetaDataOptionsAuthnLevel":"Poziom uwierzytelnienia",
"samlSPMetaDataOptionsRule":"Reguła dostępu",
"samlSPMetaDataMacros":"Makra",
"samlIDPName":"Nazwa IDP SAML",

28
lemonldap-ng-manager/site/htdocs/static/languages/tr.json
View File

@ -106,10 +106,10 @@
"browseTree":"Ağaca göz at",
"bruteForceProtection":"Aktivasyon",
"bruteForceAttackProtection":"Kaba kuvvet saldırı koruması",
"bruteForceProtectionIncrementalTempo":"Incremental lock",
"bruteForceProtectionLockTimes":"Incremental lock times",
"bruteForceProtectionMaxFailed":"Allowed failed logins",
"bruteForceProtectionTempo":"Lock time",
"bruteForceProtectionIncrementalTempo":"Artan gecikme",
"bruteForceProtectionLockTimes":"Artan gecikme zamanı",
"bruteForceProtectionMaxFailed":"İzin verilen başarısız girişler",
"bruteForceProtectionTempo":"Kilit süresi",
"cancel":"İptal Et",
"captcha_login_enabled":"Giriş formunda aktivasyon",
"captcha_mail_enabled":"E-posta formu tarafından parola sıfırlamada aktivasyon",
@ -122,6 +122,7 @@
"casAppMetaDataNodes":"CAS Uygulamaları",
"casAppMetaDataOptions":"Seçenekler",
"casAppMetaDataOptionsService":"Servis URL'si",
"casAppMetaDataOptionsAuthnLevel":"Doğrulama seviyesi",
"casAppMetaDataOptionsRule":"Kural",
"casAppMetaDataMacros":"Makrolar",
"casAppMetaDataOptionsUserAttribute":"Kullanıcı niteliği",
@ -185,7 +186,7 @@
"cfgVersion":"Yapılandırma sürümü",
"checkXSS":"XSS saldırılarını kontrol et",
"clickHereToForce":"Zorlamak için buraya tıklayın",
"checkboxes":"Checkboxes",
"checkboxes":"Onay kutuları",
"checkState":"Aktivasyon",
"checkStateSecret":"Paylaşılan sır",
"checkUsers":"TOA profil Kontrolü",
@ -193,7 +194,8 @@
"checkUserIdRule":"Kimlik kullanım kuralı",
"checkUserHiddenAttributes":"Gizli nitelikler",
"checkUserUnrestrictedUsersRule":"Kısıtlamasız kullanıcı kuralı",
"checkUserDisplayPersistentInfo":"Kalıcı oturumu görüntüle",
"checkUserDisplayComputedSession":"Display computed sessions",
"checkUserDisplayPersistentInfo":"Display persistent session data",
"checkUserDisplayEmptyHeaders":"Boş başlıkları görüntüle",
"checkUserDisplayEmptyValues":"Boş değerleri görüntüle",
"checkUserSearchAttributes":"Arama oturumlarında kullanılan nitelikler",
@ -271,6 +273,7 @@
"demoExportedVars":"Dışa aktarılan değişkenler",
"demoParams":"Gösterim parametreleri",
"description":"Açıklama",
"dest":"Recipient",
"diffViewer":"Fark görüntüleyici",
"diffWithPrevious":"önceki ile farkı",
"disabled":"Devre dışı",
@ -414,6 +417,8 @@
"ldapAllowResetExpiredPassword":"Süresi dolmuş bir parolayı sıfırlamaya izin ver",
"ldapAuthnLevel":"Doğrulama seviyesi",
"ldapBase":"Kullanıcı arama tabanı",
"ldapCAFile":"CA dosya yolu",
"ldapCAPath":"CA dizin yolu",
"ldapChangePasswordAsUser":"Kullanıcı olarak değiştir",
"ldapConnection":"Bağlantı",
"ldapExportedVars":"Dışa aktarılan değişkenler",
@ -442,6 +447,7 @@
"ldapSetPassword":"Parola değiştirme işlemi genişletilmiş",
"ldapTimeout":"Zaman aşımı",
"ldapUsePasswordResetAttribute":"Sıfırlama niteliklerini kullan",
"ldapVerify":"LDAP sunucu sertifikasını doğrulayın",
"ldapVersion":"Sürüm",
"level":"Seviye",
"linkedInAuthnLevel":"Doğrulama seviyesi",
@ -595,6 +601,7 @@
"oidcOPMetaDataOptionsProtocol":"Protokol",
"oidcRPMetaDataOptionsPublic":"Açık istemci",
"oidcRPMetaDataOptionsRequirePKCE":"PKCE gerektir",
"oidcRPMetaDataOptionsAuthnLevel":"Doğrulama seviyesi",
"oidcRPMetaDataOptionsRule":"Erişim kuralı",
"oidcRPMetaDataMacros":"Makrolar",
"oidcOPMetaDataOptionsScope":"Kapsam",
@ -696,6 +703,8 @@
"password":"Parola",
"passwordDB":"Parola modülü",
"passwordManagement":"Parola yönetimi",
"passwordPolicy":"Parola ilkesi",
"passwordPolicyActivation":"Aktivasyon",
"passwordPolicyMinSize":"Minimum parola uzunluğu",
"passwordPolicyMinLower":"Minimum küçük harf karakter sayısı",
"passwordPolicyMinUpper":"Minimum büyük harf karakter sayısı",
@ -835,6 +844,8 @@
"secondFactors":"İki faktörlü kimlik doğrulama",
"securedCookie":"Güvenli Çerez (SSL)",
"security":"Güvenlik",
"sendTestMail":"Send test email",
"sendTestMailSuccess":"Test email successfully sent",
"serverError":"Sunucu hatası",
"session":"oturum",
"sessions":"Oturumlar",
@ -849,6 +860,7 @@
"sfaTitle":"İki faktörlü kimlik doğrulaması",
"sfExtra":"Ek ikinci faktörler",
"sfManagerRule":"Yönetici bağlantısını görüntüle",
"sfOnlyUpgrade":"Oturum yükseltme için 2FA kullan",
"sfRequired":"Girişte 2FA kayıtlanmaya zorla",
"sfRemovedNotification":"Süresi dolan 2FA kaldırıldığında uyar",
"sfRemovedMsgRule":"Aktivasyon",
@ -864,6 +876,7 @@
"singleSession":"Her kullanıcı için bir oturum",
"singleUserByIP":"Her IP adresi için bir kullanıcı",
"skipRenewConfirmation":"Yeniden yetkilendirme doğrulamasını geç",
"skipUpgradeConfirmation":"Yükseltme doğrulamasını geç",
"slaveAuthnLevel":"Doğrulama seviyesi",
"slaveDisplayLogo":"Doğrulama logosunu görüntüle",
"slaveExportedVars":"Dışa aktarılan değişkenler",
@ -1076,6 +1089,7 @@
"samlSPMetaDataOptionsSessionNotOnOrAfterTimeout":"sessionNotOnOrAfter süresi",
"samlSPMetaDataOptionsNotOnOrAfterTimeout":"notOnOrAfter süresi",
"samlSPMetaDataOptionsForceUTF8":"UTF-8'e zorla",
"samlSPMetaDataOptionsAuthnLevel":"Doğrulama seviyesi",
"samlSPMetaDataOptionsRule":"Erişim kuralı",
"samlSPMetaDataMacros":"Makrolar",
"samlIDPName":"SAML IDP Adı",
@ -1143,4 +1157,4 @@
"samlRelayStateTimeout":"RelayState oturum zaman aşımı",
"samlUseQueryStringSpecific":"Spesifik query_string metodu kullan",
"samlOverrideIDPEntityID":"IDP olarak davrandığında Varlık ID'yi geçersiz kıl"
}
}

18
lemonldap-ng-manager/site/htdocs/static/languages/vi.json
View File

@ -122,6 +122,7 @@
"casAppMetaDataNodes":"Ứng dụng CAS",
"casAppMetaDataOptions":"Tùy chọn",
"casAppMetaDataOptionsService":"Dịch vụ URL",
"casAppMetaDataOptionsAuthnLevel":"Mức xác thực",
"casAppMetaDataOptionsRule":"Quy tắc",
"casAppMetaDataMacros":"Macros",
"casAppMetaDataOptionsUserAttribute":"thuộc tính người dùng",
@ -193,7 +194,8 @@
"checkUserIdRule":"Identities use rule",
"checkUserHiddenAttributes":"Thuộc tính ẩn",
"checkUserUnrestrictedUsersRule":"Unrestricted users rule",
"checkUserDisplayPersistentInfo":"Display persistent session",
"checkUserDisplayComputedSession":"Display computed sessions",
"checkUserDisplayPersistentInfo":"Display persistent session data",
"checkUserDisplayEmptyHeaders":"Display empty headers",
"checkUserDisplayEmptyValues":"Display empty values",
"checkUserSearchAttributes":"Attributes used for searching sessions",
@ -271,6 +273,7 @@
"demoExportedVars":"Xuất khẩu biến",
"demoParams":"Tham số trình diễn",
"description":"Mô tả",
"dest":"Recipient",
"diffViewer":"Người xem khác ",
"diffWithPrevious":"khác biệt với cái trước",
"disabled":"Tắt",
@ -414,6 +417,8 @@
"ldapAllowResetExpiredPassword":"Cho phép đặt lại mật khẩu đã hết hạn",
"ldapAuthnLevel":"Mức xác thực",
"ldapBase":"Cơ sở tìm kiếm người dùng",
"ldapCAFile":"CA file path",
"ldapCAPath":"CA directory path",
"ldapChangePasswordAsUser":"Thay đổi như người dùng",
"ldapConnection":"Kết nối",
"ldapExportedVars":"Biến đã được xuất",
@ -442,6 +447,7 @@
"ldapSetPassword":"Mật khẩu sửa đổi hoạt động mở rộng",
"ldapTimeout":"Thời gian chờ",
"ldapUsePasswordResetAttribute":"Sử dụng thuộc tính đặt lại",
"ldapVerify":"Verify LDAP server certificate",
"ldapVersion":"Phiên bản",
"level":"Mức",
"linkedInAuthnLevel":"Mức xác thực",
@ -595,6 +601,7 @@
"oidcOPMetaDataOptionsProtocol":"Giao thức",
"oidcRPMetaDataOptionsPublic":"Public client",
"oidcRPMetaDataOptionsRequirePKCE":"Require PKCE",
"oidcRPMetaDataOptionsAuthnLevel":"Mức xác thực",
"oidcRPMetaDataOptionsRule":"Quy tắc truy cập",
"oidcRPMetaDataMacros":"Macros",
"oidcOPMetaDataOptionsScope":"Phạm vi",
@ -696,6 +703,8 @@
"password":"Mật khẩu",
"passwordDB":"Mô-đun mật khẩu",
"passwordManagement":"Quản lý mật khẩu",
"passwordPolicy":"Password policy",
"passwordPolicyActivation":"Kích hoạt",
"passwordPolicyMinSize":"Minimal size",
"passwordPolicyMinLower":"Minimal lower characters",
"passwordPolicyMinUpper":"Minimal upper characters",
@ -835,6 +844,8 @@
"secondFactors":"Second factors",
"securedCookie":"Cookie bảo mật (SSL)",
"security":"An ninh",
"sendTestMail":"Send test email",
"sendTestMailSuccess":"Test email successfully sent",
"serverError":"Lỗi máy chủ",
"session":"phiên",
"sessions":"Phiên",
@ -849,6 +860,7 @@
"sfaTitle":"Second factors authentication",
"sfExtra":"Additional second factors",
"sfManagerRule":"Display Manager link",
"sfOnlyUpgrade":"Use 2FA for session upgrade",
"sfRequired":"Force 2FA registration at login",
"sfRemovedNotification":"Warn if an expired 2FA is removed",
"sfRemovedMsgRule":"Kích hoạt",
@ -864,6 +876,7 @@
"singleSession":"One session per user",
"singleUserByIP":"Một người dùng theo địa chỉ IP",
"skipRenewConfirmation":"Skip re-auth confirmation",
"skipUpgradeConfirmation":"Skip upgrade confirmation",
"slaveAuthnLevel":"Mức xác thực",
"slaveDisplayLogo":"Display authentication logo",
"slaveExportedVars":"Biến đã được xuất",
@ -1076,6 +1089,7 @@
"samlSPMetaDataOptionsSessionNotOnOrAfterTimeout":"thời gian sessionNotOnOrAfter ",
"samlSPMetaDataOptionsNotOnOrAfterTimeout":"Thời gian notOnOrAfter ",
"samlSPMetaDataOptionsForceUTF8":"Bắt buộc UTF-8",
"samlSPMetaDataOptionsAuthnLevel":"Mức xác thực",
"samlSPMetaDataOptionsRule":"Quy tắc truy cập",
"samlSPMetaDataMacros":"Macros",
"samlIDPName":"Tên SAML IDP ",
@ -1143,4 +1157,4 @@
"samlRelayStateTimeout":"Thời gian hết hạn phiên RelayState ",
"samlUseQueryStringSpecific":"Sử dụng phương pháp query_string cụ thể",
"samlOverrideIDPEntityID":"Override Entity ID when acting as IDP"
}
}

18
lemonldap-ng-manager/site/htdocs/static/languages/zh.json
View File

@ -122,6 +122,7 @@
"casAppMetaDataNodes":"CAS 系列应用",
"casAppMetaDataOptions":"选项",
"casAppMetaDataOptionsService":"服务 URL",
"casAppMetaDataOptionsAuthnLevel":"认证级别",
"casAppMetaDataOptionsRule":"规则",
"casAppMetaDataMacros":"Macros",
"casAppMetaDataOptionsUserAttribute":"User attribute",
@ -193,7 +194,8 @@
"checkUserIdRule":"Identities use rule",
"checkUserHiddenAttributes":"Hidden attributes",
"checkUserUnrestrictedUsersRule":"Unrestricted users rule",
"checkUserDisplayPersistentInfo":"Display persistent session",
"checkUserDisplayComputedSession":"Display computed sessions",
"checkUserDisplayPersistentInfo":"Display persistent session data",
"checkUserDisplayEmptyHeaders":"Display empty headers",
"checkUserDisplayEmptyValues":"Display empty values",
"checkUserSearchAttributes":"Attributes used for searching sessions",
@ -271,6 +273,7 @@
"demoExportedVars":"Exported variables",
"demoParams":"Demonstration parameters",
"description":"Description",
"dest":"Recipient",
"diffViewer":"Difference viewer",
"diffWithPrevious":"difference with previous",
"disabled":"Disabled",
@ -414,6 +417,8 @@
"ldapAllowResetExpiredPassword":"Allow to reset an expired password",
"ldapAuthnLevel":"认证等级",
"ldapBase":"Users search base",
"ldapCAFile":"CA file path",
"ldapCAPath":"CA directory path",
"ldapChangePasswordAsUser":"Change as user",
"ldapConnection":"连接",
"ldapExportedVars":"Exported variables",
@ -442,6 +447,7 @@
"ldapSetPassword":"Password modify extended operation",
"ldapTimeout":"Timeout",
"ldapUsePasswordResetAttribute":"Use reset attribute",
"ldapVerify":"Verify LDAP server certificate",
"ldapVersion":"版本",
"level":"Level",
"linkedInAuthnLevel":"认证等级",
@ -595,6 +601,7 @@
"oidcOPMetaDataOptionsProtocol":"Protocol",
"oidcRPMetaDataOptionsPublic":"Public client",
"oidcRPMetaDataOptionsRequirePKCE":"Require PKCE",
"oidcRPMetaDataOptionsAuthnLevel":"认证级别",
"oidcRPMetaDataOptionsRule":"Access rule",
"oidcRPMetaDataMacros":"Macros",
"oidcOPMetaDataOptionsScope":"Scope",
@ -696,6 +703,8 @@
"password":"Password",
"passwordDB":"Password module",
"passwordManagement":"Password management",
"passwordPolicy":"Password policy",
"passwordPolicyActivation":"激活",
"passwordPolicyMinSize":"Minimal size",
"passwordPolicyMinLower":"Minimal lower characters",
"passwordPolicyMinUpper":"Minimal upper characters",
@ -835,6 +844,8 @@
"secondFactors":"Second factors",
"securedCookie":"Secured Cookie (SSL)",
"security":"Security",
"sendTestMail":"Send test email",
"sendTestMailSuccess":"Test email successfully sent",
"serverError":"Server error",
"session":"session",
"sessions":"Sessions",
@ -849,6 +860,7 @@
"sfaTitle":"Second factors authentication",
"sfExtra":"Additional second factors",
"sfManagerRule":"Display Manager link",
"sfOnlyUpgrade":"Use 2FA for session upgrade",
"sfRequired":"Force 2FA registration at login",
"sfRemovedNotification":"Warn if an expired 2FA is removed",
"sfRemovedMsgRule":"激活",
@ -864,6 +876,7 @@
"singleSession":"One session per user",
"singleUserByIP":"One user per IP address",
"skipRenewConfirmation":"Skip re-auth confirmation",
"skipUpgradeConfirmation":"Skip upgrade confirmation",
"slaveAuthnLevel":"认证等级",
"slaveDisplayLogo":"Display authentication logo",
"slaveExportedVars":"Exported variables",
@ -1076,6 +1089,7 @@
"samlSPMetaDataOptionsSessionNotOnOrAfterTimeout":"sessionNotOnOrAfter duration",
"samlSPMetaDataOptionsNotOnOrAfterTimeout":"notOnOrAfter duration",
"samlSPMetaDataOptionsForceUTF8":"Force UTF-8",
"samlSPMetaDataOptionsAuthnLevel":"认证级别",
"samlSPMetaDataOptionsRule":"Access rule",
"samlSPMetaDataMacros":"Macros",
"samlIDPName":"SAML IDP Name",
@ -1143,4 +1157,4 @@
"samlRelayStateTimeout":"RelayState session timeout",
"samlUseQueryStringSpecific":"Use specific query_string method",
"samlOverrideIDPEntityID":"Override Entity ID when acting as IDP"
}
}

2
lemonldap-ng-manager/site/htdocs/static/reverseTree.json
View File

File diff suppressed because one or more lines are too long

2
lemonldap-ng-manager/site/htdocs/static/struct.json
View File

File diff suppressed because one or more lines are too long

8
lemonldap-ng-portal/MANIFEST
View File

@ -382,6 +382,7 @@ site/htdocs/static/languages/fi.json
site/htdocs/static/languages/fr.json
site/htdocs/static/languages/it.json
site/htdocs/static/languages/nl.json
site/htdocs/static/languages/pl.json
site/htdocs/static/languages/pt.json
site/htdocs/static/languages/ro.json
site/htdocs/static/languages/tr.json
@ -448,7 +449,6 @@ site/templates/bootstrap/totp2fcheck.tpl
site/templates/bootstrap/totp2fregister.tpl
site/templates/bootstrap/u2fcheck.tpl
site/templates/bootstrap/u2fregister.tpl
site/templates/bootstrap/updatesession.tpl
site/templates/bootstrap/upgradesession.tpl
site/templates/bootstrap/utotp2fcheck.tpl
site/templates/bootstrap/yubikey2fregister.tpl
@ -494,6 +494,7 @@ t/20-Auth-and-password-DBI-dynamic-hash.t
t/20-Auth-and-password-DBI.t
t/20-Auth-DBI-utf8.t
t/21-Auth-and-password-LDAP.t
t/21-Auth-LDAP-Policy-only.t
t/21-Auth-LDAP-Policy.t
t/21-Auth-LDAP-utf8.t
t/22-Auth-and-password-AD.t
@ -529,6 +530,7 @@ t/30-SAML-Macros.t
t/30-SAML-POST-Logout-when-expired.t
t/30-SAML-POST-Logout-when-removed.t
t/30-SAML-POST-with-2F-and-Notification.t
t/30-SAML-POST-with-2F-UpgradeOnly.t
t/30-SAML-POST-with-Notification.t
t/30-SAML-ReAuth-with-choice.t
t/30-SAML-ReAuth.t
@ -556,6 +558,7 @@ t/32-Auth-and-issuer-OIDC-implicit.t
t/32-Auth-and-issuer-OIDC-sorted.t
t/32-CAS-10.t
t/32-CAS-Macros.t
t/32-OIDC-Code-Flow-with-2F-UpgradeOnly.t
t/32-OIDC-Code-Flow-with-2F.t
t/32-OIDC-Macro.t
t/32-OIDC-Offline-Session.t
@ -590,6 +593,7 @@ t/37-OIDC-RP-to-SAML-IdP-GET-with-WAYF.t
t/37-OIDC-RP-to-SAML-IdP-GET.t
t/37-OIDC-RP-to-SAML-IdP-POST.t
t/37-SAML-SP-GET-to-OIDC-OP.t
t/37-SAML-SP-GET-to-SAML-with-Logout.t
t/37-SAML-SP-POST-to-CAS-server-with-Choice.t
t/37-SAML-SP-POST-to-CAS-server.t
t/37-SAML-SP-POST-to-OIDC-OP.t
@ -657,6 +661,7 @@ t/66-CDA.t
t/67-CheckUser-with-Global-token.t
t/67-CheckUser-with-Impersonation-and-Macros.t
t/67-CheckUser-with-issuer-SAML-POST.t
t/67-CheckUser-with-rules.t
t/67-CheckUser-with-token.t
t/67-CheckUser-with-UnrestrictedUser.t
t/67-CheckUser.t
@ -699,6 +704,7 @@ t/77-2F-Mail-with-global-storage.t
t/77-2F-Mail.t
t/78-2F-Upgrade-Many.t
t/78-2F-Upgrade.t
t/78-2F-UpgradeOnly.t
t/79-2F-Yubikey-from-Session.t
t/79-2F-Yubikey.t
t/90-Translations.t

3
lemonldap-ng-portal/META.json
View File

@ -3,7 +3,7 @@
"author" : [
"Xavier Guimard <x.guimard@free.fr>, Clément Oudot <clement@oodo.net>"
],
"dynamic_config" : 0,
"dynamic_config" : 1,
"generated_by" : "ExtUtils::MakeMaker version 7.34, CPAN::Meta::Converter version 2.150010",
"license" : [
"open_source"
@ -67,6 +67,7 @@
},
"requires" : {
"Clone" : "0",
"Lemonldap::NG::Handler" : "v2.0.9",
"Regexp::Assemble" : "0"
}
}

3
lemonldap-ng-portal/META.yml
View File

@ -16,7 +16,7 @@ build_requires:
XML::LibXML: '0'
configure_requires:
ExtUtils::MakeMaker: '0'
dynamic_config: 0
dynamic_config: 1
generated_by: 'ExtUtils::MakeMaker version 7.34, CPAN::Meta::Converter version 2.150010'
license: open_source
meta-spec:
@ -52,6 +52,7 @@ recommends:
Web::ID: '0'
requires:
Clone: '0'
Lemonldap::NG::Handler: v2.0.9
Regexp::Assemble: '0'
resources:
MailingList: mailto:lemonldap-ng-dev@ow2.org

5
lemonldap-ng-portal/Makefile.PL
View File

@ -42,7 +42,8 @@ WriteMakefile(
MailingList => 'mailto:lemonldap-ng-dev@ow2.org',
license => 'http://opensource.org/licenses/GPL-2.0',
homepage => 'http://lemonldap-ng.org/',
bugtracker => 'https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues',
bugtracker =>
'https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues',
x_twitter => 'https://twitter.com/lemonldapng',
},
},
@ -63,7 +64,7 @@ WriteMakefile(
},
PREREQ_PM => {
'Clone' => 0,
'Lemonldap::NG::Handler' => '2.0.9',
'Regexp::Assemble' => 0,
},
(

37
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Engines/Default.pm
View File

@ -19,6 +19,7 @@ use Lemonldap::NG::Portal::Main::Constants qw(
PE_OK
PE_SENDRESPONSE
PE_TOKENEXPIRED
PE_NO_SECOND_FACTORS
);
our $VERSION = '2.1.0';
@ -198,7 +199,30 @@ sub run {
$self->logger->debug("2F checkLogins set") if ($checkLogins);
# Skip 2F unless a module has been registered
return PE_OK unless ( @{ $self->sfModules } );
unless ( @{ $self->sfModules } ) {
if ( $self->conf->{sfOnlyUpgrade} and $req->data->{doingSfUpgrade} ) {
$self->logger->error(
"Trying to perform 2FA session upgrade but no "
. "second factor modules are configured" );
return PE_ERROR;
}
else {
return PE_OK;
}
}
# Skip 2F if authnLevel is already high enough
if (
$self->conf->{sfOnlyUpgrade}
and ( ( $req->pdata->{targetAuthnLevel} || 0 ) <=
( $req->sessionInfo->{authenticationLevel} || 0 ) )
)
{
$self->logger->debug(
"Current authentication level satisfied target service,"
. " skipping 2FA" );
return PE_OK;
}
# Remove expired 2F devices
my $session = $req->sessionInfo;
@ -296,7 +320,16 @@ sub run {
return PE_SENDRESPONSE;
}
else {
return PE_OK;
if ( $self->conf->{sfOnlyUpgrade} and $req->data->{doingSfUpgrade} )
{
# cancel redirection to issuer/vhost
delete $req->pdata->{_url};
return PE_NO_SECOND_FACTORS;
}
else {
return PE_OK;
}
}
}

4
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/Combination.pm
View File

@ -248,7 +248,9 @@ sub try {
$req->data->{dataKeep}->{combinationTry};
if ( $res > 0 and $res != PE_FIRSTACCESS ) {
$self->userLogger->warn( 'All schemes failed'
. ( $req->user ? ' for user ' . $req->user : '' ) );
. ( $req->user ? ' for user ' . $req->user : '' ) . ' ('
. $req->address
. ')' );
}
return $res;
}

9
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/SAML.pm
View File

@ -1410,6 +1410,15 @@ sub authLogout {
# Create Logout object
$logout = $self->createLogout( $self->lassoServer );
# Do we check signature?
my $checkSLOMessageSignature =
$self->conf->{samlIDPMetaDataOptions}->{$idpConfKey}
->{samlIDPMetaDataOptionsCheckSLOMessageSignature};
unless ($checkSLOMessageSignature) {
$self->disableSignatureVerification($logout);
}
# Process logout response
my $result = $self->processLogoutResponseMsg( $logout, $response );

58
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/CAS.pm
View File

@ -100,6 +100,13 @@ sub storeEnvAndCheckGateway {
if ($app) {
$req->env->{llng_cas_app} = $app;
# Store target authentication level in pdata
my $targetAuthnLevel = $self->conf->{casAppMetaDataOptions}->{$app}
->{casAppMetaDataOptionsAuthnLevel};
$req->pdata->{targetAuthnLevel} = $targetAuthnLevel
if $targetAuthnLevel;
}
}
@ -150,20 +157,6 @@ sub run {
|| $req->param('gateway');
my $casServiceTicket;
# Renew
if ( $renew
and $renew eq 'true'
and time - $req->sessionInfo->{_utime} >
$self->conf->{portalForceAuthnInterval} )
{
# Authentication must be replayed
$self->logger->debug("Authentication renew requested");
$self->{updateSession} = 1;
$req->env->{QUERY_STRING} =~ s/renew=true/renew=false/;
return $self->reAuth($req);
}
# If no service defined, exit
unless ( defined $service ) {
$self->logger->debug("No service defined in CAS URL");
@ -177,6 +170,28 @@ sub run {
my ( $host, $uri ) = ( $1, $2 );
my $app = $self->casAppList->{$host};
my $spAuthnLevel = 0;
if ($app) {
$spAuthnLevel = $self->conf->{casAppMetaDataOptions}->{$app}
->{casAppMetaDataOptionsAuthnLevel} || 0;
}
# Renew
if ( $renew
and $renew eq 'true'
and time - $req->sessionInfo->{_utime} >
$self->conf->{portalForceAuthnInterval} )
{
# Authentication must be replayed
$self->logger->debug("Authentication renew requested");
$self->{updateSession} = 1;
$req->env->{QUERY_STRING} =~ s/renew=true/renew=false/;
$req->pdata->{targetAuthnLevel} = $spAuthnLevel;
return $self->reAuth($req);
}
# Check access on the service
my $casAccessControlPolicy = $self->conf->{casAccessControlPolicy};
@ -188,6 +203,21 @@ sub run {
$self->userLogger->error('CAS service not configured');
return PE_CAS_SERVICE_NOT_ALLOWED;
}
# Check if we have sufficient auth level
my $authenticationLevel =
$req->{sessionInfo}->{authenticationLevel} || 0;
if ( $authenticationLevel < $spAuthnLevel ) {
$self->logger->debug(
"Insufficient authentication level for service $app"
. " (has: $authenticationLevel, want: $spAuthnLevel)" );
# Reauth with sp auth level as target
$req->pdata->{targetAuthnLevel} = $spAuthnLevel;
return $self->upgradeAuth($req);
}
# Check access rule
if ( my $rule = $self->spRules->{$app} ) {
if ( $rule->( $req, $req->sessionInfo ) ) {
$self->logger->debug("CAS service $service access allowed");

24
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm
View File

@ -321,6 +321,9 @@ sub run {
);
}
my $spAuthnLevel = $self->conf->{oidcRPMetaDataOptions}->{$rp}
->{oidcRPMetaDataOptionsAuthnLevel} || 0;
# Check if user needs to be reauthenticated
my $prompt = $oidc_request->{'prompt'};
if (
@ -334,6 +337,7 @@ sub run {
$self->logger->debug(
"Reauthentication required by Relying Party in prompt parameter"
);
$req->pdata->{targetAuthnLevel} = $spAuthnLevel;
return $self->reAuth($req);
}
@ -343,9 +347,23 @@ sub run {
$self->logger->debug(
"Reauthentication forced because authentication time ($_lastAuthnUTime) is too old (>$max_age s)"
);
$req->pdata->{targetAuthnLevel} = $spAuthnLevel;
return $self->reAuth($req);
}
# Check if we have sufficient auth level
my $authenticationLevel =
$req->{sessionInfo}->{authenticationLevel} || 0;
if ( $authenticationLevel < $spAuthnLevel ) {
$self->logger->debug(
"Insufficient authentication level for service $rp"
. " (has: $authenticationLevel, want: $spAuthnLevel)" );
# Reauth with sp auth level as target
$req->pdata->{targetAuthnLevel} = $spAuthnLevel;
return $self->upgradeAuth($req);
}
# Check scope validity
# We use a slightly more relaxed version of
# https://tools.ietf.org/html/rfc6749#appendix-A.4
@ -2162,6 +2180,12 @@ sub exportRequestParameters {
if ( $req->param('client_id') ) {
my $rp = $self->getRP( $req->param('client_id') );
$req->env->{"llng_oidc_rp"} = $rp if $rp;
# Store target authentication level in pdata
my $targetAuthnLevel = $self->conf->{oidcRPMetaDataOptions}->{$rp}
->{oidcRPMetaDataOptionsAuthnLevel};
$req->pdata->{targetAuthnLevel} = $targetAuthnLevel
if $targetAuthnLevel;
}
return PE_OK;

173
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/SAML.pm
View File

@ -2,9 +2,12 @@ package Lemonldap::NG::Portal::Issuer::SAML;
use strict;
use Mouse;
use URI;
use URI::QueryParam;
use Lemonldap::NG::Portal::Lib::SAML;
use Lemonldap::NG::Portal::Main::Constants qw(
PE_OK
PE_REDIRECT
PE_SESSIONEXPIRED
PE_SAML_ART_ERROR
PE_SAML_DESTINATION_ERROR
@ -158,6 +161,10 @@ qr/^($saml_sso_get_url|$saml_sso_get_url_ret|$saml_sso_post_url|$saml_sso_post_u
$self->path => { relaySingleLogoutPOST => 'sloRelayPost' },
[ 'GET', 'POST' ]
);
$self->addUnauthRoute(
$self->path => { singleLogoutResume => 'sloResume' },
[ 'GET', 'POST' ]
);
$self->addUnauthRoute(
$self->path => { relaySingleLogoutTermination => 'sloRelayTerm' },
[ 'GET', 'POST' ]
@ -185,6 +192,13 @@ sub storeEnv {
$req->env->{llng_saml_sp} = $sp;
if ( my $spConfKey = $self->spList->{$sp}->{confKey} ) {
$req->env->{llng_saml_spconfkey} = $spConfKey;
# Store target authentication level in pdata
my $targetAuthnLevel =
$self->conf->{samlSPMetaDataOptions}->{$spConfKey}
->{samlSPMetaDataOptionsAuthnLevel};
$req->pdata->{targetAuthnLevel} = $targetAuthnLevel
if $targetAuthnLevel;
}
}
return PE_OK;
@ -389,6 +403,7 @@ sub run {
$self->logger->debug("$sp match $spConfKey SP in configuration");
$req->env->{llng_saml_spconfkey} = $spConfKey;
# Check access rule
if ( my $rule = $self->spRules->{$spConfKey} ) {
unless ( $rule->( $req, $req->sessionInfo ) ) {
$self->userLogger->warn( 'User '
@ -450,6 +465,10 @@ sub run {
$self->logger->debug("SSO: authentication request is valid");
my $spAuthnLevel =
$self->conf->{samlSPMetaDataOptions}->{$spConfKey}
->{samlSPMetaDataOptionsAuthnLevel} || 0;
# Get ForceAuthn flag
my $force_authn;
@ -477,6 +496,7 @@ sub run {
. $req->sessionInfo->{ $self->conf->{whatToTrace} } );
# Replay authentication process
$req->pdata->{targetAuthnLevel} = $spAuthnLevel;
return $self->reAuth($req);
}
@ -486,9 +506,18 @@ sub run {
unless ( $self->checkDestination( $login->request, $url ) );
}
# Map authenticationLevel with SAML2 authentication context
# Check if we have sufficient auth level
my $authenticationLevel =
$req->{sessionInfo}->{authenticationLevel};
$req->{sessionInfo}->{authenticationLevel} || 0;
if ( $authenticationLevel < $spAuthnLevel ) {
$self->logger->debug(
"Insufficient authentication level for service $spConfKey"
. " (has: $authenticationLevel, want: $spAuthnLevel)" );
# Reauth with sp auth level as target
$req->pdata->{targetAuthnLevel} = $spAuthnLevel;
return $self->upgradeAuth($req);
}
$authn_context =
$self->authnLevel2authnContext($authenticationLevel);
@ -1392,7 +1421,8 @@ sub sloRelaySoap {
# Store success status for this SLO request
my $sloStatusSessionInfos =
$self->getSamlSession( $relayState, { $spConfKey => 1 } );
$self->getSamlSession( $relayState,
{ $spConfKey => 1, _utime => time() } );
if ($sloStatusSessionInfos) {
$self->logger->debug(
@ -1554,6 +1584,69 @@ sub authSloServer {
return $self->sloServer($req);
}
sub sloResume {
my ( $self, $req ) = @_;
my $ResumeParams = $req->params('ResumeParams');
unless ($ResumeParams) {
$self->logger->error("Could not find resumption info");
return PE_SAML_SLO_ERROR;
}
my $logoutContextSession = $self->getSamlSession($ResumeParams);
unless ($logoutContextSession) {
$self->logger->error("Could not find logout context session");
return PE_SAML_SLO_ERROR;
}
my $spConfKey = $logoutContextSession->data->{spConfKey};
my $method = $logoutContextSession->data->{method};
my $provider_nb = $logoutContextSession->data->{provider_nb};
my $relayID = $logoutContextSession->data->{relayID};
# Restore Lasso logout object from XML dump
my $logout = $self->createLogout( $self->lassoServer,
$logoutContextSession->data->{logout} );
# Restore session info (for logout of other SPs)
$req->setInfo( $logoutContextSession->data->{info} )
if $logoutContextSession->data->{info};
return $self->_finishSlo( $req, $logout, $method, $spConfKey, $provider_nb,
$relayID );
}
sub _finishSlo {
my ( $self, $req, $logout, $method, $spConfKey, $provider_nb, $relayID ) =
@_;
# Signature
my $signSLOMessage = $self->conf->{samlSPMetaDataOptions}->{$spConfKey}
->{samlSPMetaDataOptionsSignSLOMessage};
unless ($signSLOMessage) {
$self->logger->debug("Do not sign this SLO response");
return $self->sendSLOErrorResponse( $req, $logout, $method )
unless ( $self->disableSignature($logout) );
}
# If no waiting SP, return directly SLO response
unless ($provider_nb) {
return $self->sendLogoutResponseToServiceProvider( $req, $logout,
$method );
}
# Else build SLO status relay URL and display info
else {
$req->{urldc} =
$self->conf->{portal} . '/saml/relaySingleLogoutTermination';
$self->p->setHiddenFormValue( $req, 'relay', $relayID, '', 0 );
return $self->p->do( $req, [] );
}
}
sub sloServer {
my ( $self, $req ) = @_;
my $url = $req->uri;
@ -1735,33 +1828,65 @@ sub sloServer {
# This flag is for logout() to say that SAML logout is already done
$req->data->{samlSLOCalled} = 1;
# This variable decides if we call the authLogout step
# (which can redirect away)
my $doAuthLogout = 0;
my $logoutContextSession;
# TODO: for now, we only try authLogout to disconnect an
# external IDP if the current session has been opened on a
# SAML IDP. We only propagate logout to the IDP our SP is SAML
# AND our IDP is SAML too
if ( $req->sessionInfo->{_lassoSessionDump} ) {
$doAuthLogout = 1;
# In case we have to redirect to the IDP, save current state
# to allow resumption. This needs to be done here because
# issuerUrldc will be put in the IdP logout's RelayState
my $logoutInfos = {
logout => $logout->dump,
spConfKey => $spConfKey,
method => $method,
provider_nb => $provider_nb,
relayID => $relayID,
_utime => time(),
};
$logoutContextSession =
$self->getSamlSession( undef, $logoutInfos );
my $uri =
URI->new( $self->conf->{portal} . '/saml/singleLogoutResume' );
$uri->query_param( ResumeParams => $logoutContextSession->id );
$req->{issuerUrldc} = $uri->as_string;
}
# We don't want info to interfere with the auth logout process
my $savedInfo = $req->info;
$req->setInfo('');
# Launch normal logout and ignore errors
$req->steps( [ @{ $self->p->beforeLogout }, 'deleteSession' ] );
$self->p->process($req);
$req->steps( [
@{ $self->p->beforeLogout },
( $doAuthLogout ? 'authLogout' : () ),
'deleteSession'
]
);
my $res = $self->p->process($req);
$self->logger->debug("MAXBES Process retuned $res");
# Signature
my $signSLOMessage = $self->conf->{samlSPMetaDataOptions}->{$spConfKey}
->{samlSPMetaDataOptionsSignSLOMessage};
if ( $res eq PE_REDIRECT ) {
unless ($signSLOMessage) {
$self->logger->debug("Do not sign this SLO response");
return $self->sendSLOErrorResponse( $req, $logout, $method )
unless ( $self->disableSignature($logout) );
# Save session info (for logout of other SP)
if ($savedInfo) {
$logoutContextSession->update( { info => $savedInfo } );
}
return $self->p->do( $req, [ sub { PE_REDIRECT } ] );
}
# If no waiting SP, return directly SLO response
unless ($provider_nb) {
return $self->sendLogoutResponseToServiceProvider( $req, $logout,
$method );
}
$req->info($savedInfo);
# Else build SLO status relay URL and display info
else {
$req->{urldc} =
$self->conf->{portal} . '/saml/relaySingleLogoutTermination';
$self->p->setHiddenFormValue( $req, 'relay', $relayID, '', 0 );
return $self->p->do( $req, [] );
}
return $self->_finishSlo( $req, $logout, $method, $spConfKey,
$provider_nb, $relayID );
}
elsif ($response) {

2
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/LDAP.pm
View File

@ -130,7 +130,7 @@ sub getUser {
? $self->mailFilter->($req)
: $self->filter->($req)
),
defer => $self->conf->{ldapSearchDeref} || 'find',
deref => $self->conf->{ldapSearchDeref} || 'find',
attrs => $self->attrs,
);
if ( $mesg->code() != 0 ) {

Some files were not shown because too many files have changed in this diff Show More