Merge branch 'v2.0'

COPYING

@@ -133,6 +133,10 @@ License: CC-3
 Comment: This work, "CustomAuth.png", is a derivative of
  "Noun project 1162.svg" by Christopher T. Howlett, under CC-BY-3.0.
 
+Files: lemonldap-ng-portal/site/htdocs/static/common/fonts/password.ttf
+Copyright: 2007, the Tap2Play Team, https://git.tap2play.org.au/tap2play/web/tree/dev/fonts
+License: Expat
+
 Files: lemonldap-ng-portal/site/htdocs/static/common/backgrounds/*
 Copyright: Various artists
 License: CC-BY-NC-ND-3.0 or GFDL-1.3

_example/etc/nginx-lmlog.conf

@@ -3,4 +3,4 @@ log_format lm_combined '$remote_addr - $lmremote_user [$time_local] '
 	'"$http_referer" "$http_user_agent" $lmremote_custom';
 log_format lm_app '$remote_addr - $upstream_http_lm_remote_user [$time_local] '
 	'"$request" $status $body_bytes_sent '
-	'"$http_referer" "$http_user_agent" $lmremote_custom';
+	'"$http_referer" "$http_user_agent" $upstream_http_lm_remote_custom';

_example/etc/portal-apache2.X.conf

@@ -116,7 +116,7 @@
         </IfVersion>
     </Location>
 
-    # Enabe compression
+    # Enable compression
     <Location />
         <IfModule mod_deflate.c>
                 AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript text/css

_example/etc/portal-apache2.conf

@@ -87,7 +87,7 @@
         Deny from all
     </Location>
 
-    # Enabe compression
+    # Enable compression
     <Location />
         <IfModule mod_deflate.c>
                 AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript text/css

lemonldap-ng-common/.prove

@@ -1,105 +1,116 @@
 ---
-generation: 2
+generation: 3
-last_run_time: 1567071551.30841
+last_run_time: 1568228253.60673
 tests:
   t/01-Common-Conf.t:
-    elapsed: 0.472490072250366
+    elapsed: 0.0860559940338135
-    gen: 2
+    gen: 3
-    last_pass_time: 1567071550.71014
+    last_pass_time: 1568228253.51096
     last_result: 0
-    last_run_time: 1567071550.71014
+    last_run_time: 1568228253.51096
     last_todo: 0
-    seq: 5
+    mtime: 1566161618
-    total_passes: 1
+    seq: 14
+    total_passes: 2
   t/02-Common-Conf-File.t:
-    elapsed: 0.0793302059173584
+    elapsed: 0.0139250755310059
-    gen: 2
+    gen: 3
-    last_pass_time: 1567071550.68052
+    last_pass_time: 1568228253.60618
     last_result: 0
-    last_run_time: 1567071550.68052
+    last_run_time: 1568228253.60618
     last_todo: 0
-    seq: 4
+    mtime: 1566161618
-    total_passes: 1
+    seq: 22
+    total_passes: 2
   t/03-Common-Conf-CDBI.t:
-    elapsed: 0.61043119430542
+    elapsed: 0.166121959686279
-    gen: 2
+    gen: 3
-    last_pass_time: 1567071550.95767
+    last_pass_time: 1568228253.58678
     last_result: 0
-    last_run_time: 1567071550.95767
+    last_run_time: 1568228253.58678
     last_todo: 0
-    seq: 6
+    mtime: 1567458069
-    total_passes: 1
+    seq: 19
+    total_passes: 2
   t/03-Common-Conf-RDBI.t:
-    elapsed: 0.66497802734375
+    elapsed: 0.187541961669922
-    gen: 2
+    gen: 3
-    last_pass_time: 1567071551.00435
+    last_pass_time: 1568228253.60138
     last_result: 0
-    last_run_time: 1567071551.00435
+    last_run_time: 1568228253.60138
     last_todo: 0
-    seq: 7
+    mtime: 1567458069
-    total_passes: 1
+    seq: 21
+    total_passes: 2
   t/05-Common-Conf-LDAP.t:
-    elapsed: 0.64878511428833
+    elapsed: 0.157251119613647
-    gen: 2
+    gen: 3
-    last_pass_time: 1567071551.07637
+    last_pass_time: 1568228253.57577
     last_result: 0
-    last_run_time: 1567071551.07637
+    last_run_time: 1568228253.57577
     last_todo: 0
-    seq: 8
+    mtime: 1566161616
-    total_passes: 1
+    seq: 16
+    total_passes: 2
   t/30-Common-Safelib.t:
-    elapsed: 0.0283739566802979
+    elapsed: 0.0150928497314453
-    gen: 2
+    gen: 3
-    last_pass_time: 1567071550.40529
+    last_pass_time: 1568228253.58625
     last_result: 0
-    last_run_time: 1567071550.40529
+    last_run_time: 1568228253.58625
     last_todo: 0
-    seq: 1
+    mtime: 1566161617
-    total_passes: 1
+    seq: 18
+    total_passes: 2
   t/35-Common-Crypto.t:
-    elapsed: 0.190783977508545
+    elapsed: 0.0329771041870117
-    gen: 2
+    gen: 3
-    last_pass_time: 1567071550.63236
+    last_pass_time: 1568228253.46102
     last_result: 0
-    last_run_time: 1567071550.63236
+    last_run_time: 1568228253.46102
     last_todo: 0
-    seq: 3
+    mtime: 1567541253
-    total_passes: 1
+    seq: 12
+    total_passes: 2
   t/36-Common-Regexp.t:
-    elapsed: 0.0631709098815918
+    elapsed: 0.00531005859375
-    gen: 2
+    gen: 3
-    last_pass_time: 1567071550.50944
+    last_pass_time: 1568228253.59092
     last_result: 0
-    last_run_time: 1567071550.50944
+    last_run_time: 1568228253.59092
     last_todo: 0
-    seq: 2
+    mtime: 1566161618
-    total_passes: 1
+    seq: 20
+    total_passes: 2
   t/40-Common-Session.t:
-    elapsed: 0.184284210205078
+    elapsed: 0.0833292007446289
-    gen: 2
+    gen: 3
-    last_pass_time: 1567071551.11977
+    last_pass_time: 1568228253.51475
     last_result: 0
-    last_run_time: 1567071551.11977
+    last_run_time: 1568228253.51475
     last_todo: 0
-    seq: 9
+    mtime: 1566161618
-    total_passes: 1
+    seq: 15
+    total_passes: 2
   t/50-Combination-Parser.t:
-    elapsed: 0.108580827713013
+    elapsed: 0.0678761005401611
-    gen: 2
+    gen: 3
-    last_pass_time: 1567071551.1593
+    last_pass_time: 1568228253.50556
     last_result: 0
-    last_run_time: 1567071551.1593
+    last_run_time: 1568228253.50556
     last_todo: 0
-    seq: 10
+    mtime: 1566161617
-    total_passes: 1
+    seq: 13
+    total_passes: 2
   t/99-pod.t:
-    elapsed: 0.128799915313721
+    elapsed: 0.100279092788696
-    gen: 2
+    gen: 3
-    last_pass_time: 1567071551.30716
+    last_pass_time: 1568228253.57739
     last_result: 0
-    last_run_time: 1567071551.30716
+    last_run_time: 1568228253.57739
     last_todo: 0
-    seq: 11
+    mtime: 1566161617
-    total_passes: 1
+    seq: 17
+    total_passes: 2
 version: 1
 ...

lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/Constants.pm

@@ -24,7 +24,7 @@ use constant MANAGERSECTION  => "manager";
 use constant SESSIONSEXPLORERSECTION => "sessionsExplorer";
 use constant APPLYSECTION            => "apply";
 our $hashParameters = qr/^(?:(?:l(?:o(?:ca(?:lSessionStorageOption|tionRule)|goutService)|dapExportedVar|wp(?:Ssl)?Opt)|(?:(?:d(?:emo|bi)|facebook|webID)ExportedVa|exported(?:Heade|Va)|issuerDBGetParamete)r|re(?:moteGlobalStorageOption|st2f(?:Verify|Init)Arg|loadUrl)|g(?:r(?:antSessionRule|oup)|lobalStorageOption)|n(?:otificationStorageOption|ginxCustomHandler)|macro)s|o(?:idc(?:RPMetaData(?:(?:Option(?:sExtraClaim)?|ExportedVar)s|Node)|OPMetaData(?:(?:ExportedVar|Option)s|J(?:SON|WKS)|Node)|S(?:erviceMetaDataAuthnContext|torageOptions))|penIdExportedVars)|s(?:aml(?:S(?:PMetaData(?:(?:ExportedAttribute|Option)s|Node|XML)|torageOptions)|IDPMetaData(?:(?:ExportedAttribute|Option)s|Node|XML))|essionDataToRemember|laveExportedVars|fExtra)|c(?:as(?:S(?:rvMetaData(?:(?:ExportedVar|Option)s|Node)|torageOptions)|A(?:ppMetaData(?:(?:ExportedVar|Option)s|Node)|ttributes))|(?:ustomAddParam|ombModule)s)|p(?:ersistentStorageOptions|o(?:rtalSkinRules|st))|a(?:ut(?:hChoiceMod|oSigninR)ules|pplicationList)|v(?:hostOptions|irtualHost)|S(?:MTPTLSOpts|SLVarIf))$/;
-our $boolKeys = qr/^(?:s(?:aml(?:IDP(?:MetaDataOptions(?:(?:Check(?:S[LS]OMessageSignatur|Audienc|Tim)|IsPassiv)e|A(?:llow(?:LoginFromIDP|ProxiedAuthn)|daptSessionUtime)|Force(?:Authn|UTF8)|StoreSAMLToken|RelayStateURL)|SSODescriptorWantAuthnRequestsSigned)|S(?:P(?:MetaDataOptions(?:(?:CheckS[LS]OMessageSignatur|OneTimeUs)e|EnableIDPInitiatedURL|ForceUTF8)|SSODescriptor(?:WantAssertion|AuthnRequest)sSigned)|erviceUseCertificateInResponse)|DiscoveryProtocol(?:Activation|IsPassive)|CommonDomainCookieActivation|UseQueryStringSpecific|MetadataForceUTF8)|ingle(?:Session(?:UserByIP)?|(?:UserBy)?IP)|oap(?:Session|Config)Server|t(?:ayConnecte|orePasswor)d|kipRenewConfirmation|fRemovedUseNotif|howLanguages|slByAjax)|o(?:idc(?:ServiceAllow(?:(?:AuthorizationCode|Implicit|Hybrid)Flow|DynamicRegistration)|RPMetaDataOptions(?:LogoutSessionRequired|BypassConsent|RequirePKCE|Public)|OPMetaDataOptions(?:(?:CheckJWTSignatur|UseNonc)e|StoreIDToken))|ldNotifFormat)|c(?:a(?:ptcha_(?:register|login|mail)_enabled|sSrvMetaDataOptions(?:Gateway|Renew))|heck(?:User(?:Display(?:PersistentInfo|EmptyValues))?|State|XSS)|o(?:ntextSwitchingStopWithLogout|rsEnabled)|da)|p(?:ortal(?:ErrorOn(?:ExpiredSession|MailNotFound)|DisplayRe(?:setPassword|gister)|(?:CheckLogin|Statu)s|OpenLinkInNewWindow|RequireOldPassword|ForceAuthn|AntiFrame)|roxyUseSoap)|l(?:dap(?:(?:Group(?:DecodeSearchedValu|Recursiv)|UsePasswordResetAttribut)e|(?:AllowResetExpired|Set)Password|ChangePasswordAsUser|PpolicyControl)|oginHistoryEnabled)|i(?:ssuerDB(?:OpenID(?:Connect)?|SAML|CAS|Get)Activation|mpersonationSkipEmptyValues)|no(?:tif(?:ication(?:Server(?:(?:POS|GE)T|DELETE)?)?|y(?:Deleted|Other))|AjaxHook)|to(?:tp2f(?:UserCan(?:Chang|Remov)eKey|DisplayExistingSecret)|kenUseGlobalStorage)|u(?:se(?:RedirectOn(?:Forbidden|Error)|SafeJail)|2fUserCanRemoveKey|pgradeSession)|d(?:isablePersistentStorage|biDynamicHashEnabled|ontCompactConf)|(?:mai(?:lOnPasswordChang|ntenanc)|vhostMaintenanc)e|rest(?:(?:Session|Config)Server|ExportSecretKeys)|h(?:ideOldPassword|ttpOnly)|yubikey2fUserCanRemoveKey|(?:activeTim|wsdlServ)er|krb(?:RemoveDomain|ByJs)|bruteForceProtection)$/;
+our $boolKeys = qr/^(?:s(?:aml(?:IDP(?:MetaDataOptions(?:(?:Check(?:S[LS]OMessageSignatur|Audienc|Tim)|IsPassiv)e|A(?:llow(?:LoginFromIDP|ProxiedAuthn)|daptSessionUtime)|Force(?:Authn|UTF8)|StoreSAMLToken|RelayStateURL)|SSODescriptorWantAuthnRequestsSigned)|S(?:P(?:MetaDataOptions(?:(?:CheckS[LS]OMessageSignatur|OneTimeUs)e|EnableIDPInitiatedURL|ForceUTF8)|SSODescriptor(?:WantAssertion|AuthnRequest)sSigned)|erviceUseCertificateInResponse)|DiscoveryProtocol(?:Activation|IsPassive)|CommonDomainCookieActivation|UseQueryStringSpecific|MetadataForceUTF8)|ingle(?:Session(?:UserByIP)?|(?:UserBy)?IP)|oap(?:Session|Config)Server|t(?:ayConnecte|orePasswor)d|kipRenewConfirmation|fRemovedUseNotif|howLanguages|slByAjax)|o(?:idc(?:ServiceAllow(?:(?:AuthorizationCode|Implicit|Hybrid)Flow|DynamicRegistration)|RPMetaDataOptions(?:LogoutSessionRequired|BypassConsent|RequirePKCE|Public)|OPMetaDataOptions(?:(?:CheckJWTSignatur|UseNonc)e|StoreIDToken))|ldNotifFormat)|p(?:ortal(?:Display(?:Re(?:setPassword|gister)|PasswordPolicy)|ErrorOn(?:ExpiredSession|MailNotFound)|(?:CheckLogin|Statu)s|OpenLinkInNewWindow|RequireOldPassword|ForceAuthn|AntiFrame)|roxyUseSoap)|c(?:a(?:ptcha_(?:register|login|mail)_enabled|sSrvMetaDataOptions(?:Gateway|Renew))|heck(?:User(?:Display(?:PersistentInfo|EmptyValues))?|State|XSS)|o(?:ntextSwitchingStopWithLogout|rsEnabled)|da)|l(?:dap(?:(?:Group(?:DecodeSearchedValu|Recursiv)|UsePasswordResetAttribut)e|(?:AllowResetExpired|Set)Password|ChangePasswordAsUser|PpolicyControl|ITDS)|oginHistoryEnabled)|i(?:ssuerDB(?:OpenID(?:Connect)?|SAML|CAS|Get)Activation|mpersonationSkipEmptyValues)|no(?:tif(?:ication(?:Server(?:(?:POS|GE)T|DELETE)?)?|y(?:Deleted|Other))|AjaxHook)|to(?:tp2f(?:UserCan(?:Chang|Remov)eKey|DisplayExistingSecret)|kenUseGlobalStorage)|u(?:se(?:RedirectOn(?:Forbidden|Error)|SafeJail)|2fUserCanRemoveKey|pgradeSession)|d(?:isablePersistentStorage|biDynamicHashEnabled|ontCompactConf)|(?:mai(?:lOnPasswordChang|ntenanc)|vhostMaintenanc)e|rest(?:(?:Session|Config)Server|ExportSecretKeys)|br(?:owsersDontStorePassword|uteForceProtection)|h(?:ideOldPassword|ttpOnly)|yubikey2fUserCanRemoveKey|(?:activeTim|wsdlServ)er|krb(?:RemoveDomain|ByJs))$/;
 
 our @sessionTypes = ( 'remoteGlobal', 'global', 'localSession', 'persistent', 'saml', 'oidc', 'cas' );
 

lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/DefaultValues.pm

@@ -200,6 +200,10 @@ sub defaultValues {
         'pamAuthnLevel'                       => 2,
         'pamService'                          => 'login',
         'passwordDB'                          => 'Demo',
+        'passwordPolicyMinDigit'              => 0,
+        'passwordPolicyMinLower'              => 0,
+        'passwordPolicyMinSize'               => 0,
+        'passwordPolicyMinUpper'              => 0,
         'passwordResetAllowedRetries'         => 3,
         'port'                                => -1,
         'portal'                              => 'http://auth.example.com/',
@@ -235,9 +239,10 @@ sub defaultValues {
               'http://auth.example.com/Lemonldap/NG/Common/PSGI/SOAPService',
             'proxy' => 'http://auth.example.com/sessions'
         },
-        'requireToken'     => 1,
+        'requireToken'       => 1,
-        'rest2fActivation' => 0,
+        'rest2fActivation'   => 0,
-        'restAuthnLevel'   => 2,
+        'restAuthnLevel'     => 2,
+        'restClockTolerance' => 15,
         'samlAttributeAuthorityDescriptorAttributeServiceSOAP' =>
           'urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/AA/SOAP;',
         'samlAuthnContextMapKerberos'                   => 4,

lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/ReConstants.pm

@@ -36,7 +36,7 @@ our $authParameters = {
   adParams => [qw(ADPwdMaxAge ADPwdExpireWarning)],
   apacheParams => [qw(apacheAuthnLevel)],
   casParams => [qw(casAuthnLevel)],
-  choiceParams => [qw(authChoiceParam authChoiceModules)],
+  choiceParams => [qw(authChoiceParam authChoiceModules authChoiceAuthBasic)],
   combinationParams => [qw(combination combModules combinationForms)],
   customParams => [qw(customAuth customUserDB customPassword customRegister customAddParams)],
   dbiParams => [qw(dbiAuthnLevel dbiExportedVars dbiAuthChain dbiAuthUser dbiAuthPassword dbiUserChain dbiUserUser dbiUserPassword dbiAuthTable dbiUserTable dbiAuthLoginCol dbiAuthPasswordCol dbiPasswordMailCol userPivot dbiAuthPasswordHash dbiDynamicHashEnabled dbiDynamicHashValidSchemes dbiDynamicHashValidSaltedSchemes dbiDynamicHashNewPasswordScheme)],
@@ -44,7 +44,7 @@ our $authParameters = {
   facebookParams => [qw(facebookAuthnLevel facebookExportedVars facebookAppId facebookAppSecret facebookUserField)],
   gpgParams => [qw(gpgAuthnLevel gpgDb)],
   kerberosParams => [qw(krbAuthnLevel krbKeytab krbByJs krbRemoveDomain)],
-  ldapParams => [qw(ldapAuthnLevel ldapExportedVars ldapServer ldapPort ldapBase managerDn managerPassword ldapTimeout ldapVersion ldapRaw LDAPFilter AuthLDAPFilter mailLDAPFilter ldapSearchDeref ldapGroupBase ldapGroupObjectClass ldapGroupAttributeName ldapGroupAttributeNameUser ldapGroupAttributeNameSearch ldapGroupDecodeSearchedValue ldapGroupRecursive ldapGroupAttributeNameGroup ldapPpolicyControl ldapSetPassword ldapChangePasswordAsUser ldapPwdEnc ldapUsePasswordResetAttribute ldapPasswordResetAttribute ldapPasswordResetAttributeValue ldapAllowResetExpiredPassword)],
+  ldapParams => [qw(ldapAuthnLevel ldapExportedVars ldapServer ldapPort ldapBase managerDn managerPassword ldapTimeout ldapVersion ldapRaw LDAPFilter AuthLDAPFilter mailLDAPFilter ldapSearchDeref ldapGroupBase ldapGroupObjectClass ldapGroupAttributeName ldapGroupAttributeNameUser ldapGroupAttributeNameSearch ldapGroupDecodeSearchedValue ldapGroupRecursive ldapGroupAttributeNameGroup ldapPpolicyControl ldapSetPassword ldapChangePasswordAsUser ldapPwdEnc ldapUsePasswordResetAttribute ldapPasswordResetAttribute ldapPasswordResetAttributeValue ldapAllowResetExpiredPassword ldapITDS)],
   linkedinParams => [qw(linkedInAuthnLevel linkedInClientID linkedInClientSecret linkedInUserField linkedInScope)],
   nullParams => [qw(nullAuthnLevel)],
   oidcParams => [qw(oidcAuthnLevel oidcRPCallbackGetParam oidcRPStateTimeout)],

lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Lib/AuthBasic.pm

@@ -2,7 +2,7 @@ package Lemonldap::NG::Handler::Lib::AuthBasic;
 
 use strict;
 use Exporter;
-use Digest::MD5;
+use Digest::SHA;
 use MIME::Base64;
 use HTTP::Headers;
 
@@ -29,7 +29,7 @@ sub fetchId {
         $creds =~ s/^Basic\s+//;
         my @date = localtime;
         my $day  = $date[5] * 366 + $date[7];
-        return Digest::MD5::md5_hex( $creds . $day );
+        return Digest::SHA::sha256_hex( $creds . $day );
     }
     else {
         return 0;
@@ -94,7 +94,13 @@ sub createSession {
         build_urlencoded(
             user     => $user,
             password => $pwd,
-            secret   => $class->tsv->{cipher}->encrypt(time)
+            secret   => $class->tsv->{cipher}->encrypt(time),
+            (
+                $class->tsv->{authChoiceAuthBasic}
+                ? ( $class->tsv->{authChoiceParam} =>
+                      $class->tsv->{authChoiceAuthBasic} )
+                : ()
+            )
         )
     );
     my $resp = $class->ua->request($get);
@@ -162,8 +168,8 @@ sub ua {
     my ($class) = @_;
     return $_ua if ($_ua);
     $_ua = Lemonldap::NG::Common::UserAgent->new( {
-            lwpOpts    => $class->localConfig->{lwpOpts},
+            lwpOpts    => $class->tsv->{lwpOpts},
-            lwpSslOpts => $class->localConfig->{lwpSslOpts}
+            lwpSslOpts => $class->tsv->{lwpSslOpts}
         }
     );
 

lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Reload.pm

@@ -197,7 +197,8 @@ sub defaultValuesInit {
         securedCookie           timeout            timeoutActivity
         timeoutActivityInterval useRedirectOnError useRedirectOnForbidden
         useSafeJail             whatToTrace        handlerInternalCache
-        handlerServiceTokenTTL  customToTrace
+        handlerServiceTokenTTL  customToTrace      lwpOpts lwpSslOpts
+        authChoiceParam         authChoiceAuthBasic
         )
     );
 

lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm

@@ -278,6 +278,9 @@ sub attributes {
             'keyTest' => qr/\w/,
             'type'    => 'catAndAppList'
         },
+        'authChoiceAuthBasic' => {
+            'type' => 'text'
+        },
         'authChoiceModules' => {
             'keyMsgFail' => '__badChoiceKey__',
             'keyTest'    => qr/^(\d*)?[a-zA-Z0-9_]+$/,
@@ -605,6 +608,10 @@ sub attributes {
             'default' => 'TOTP,U2F,Yubikey',
             'type'    => 'text'
         },
+        'browsersDontStorePassword' => {
+            'default' => 0,
+            'type'    => 'bool'
+        },
         'bruteForceProtection' => {
             'default' => 0,
             'type'    => 'bool'
@@ -1475,6 +1482,10 @@ qr/^(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][-a-zA-Z0-
             'default' => 0,
             'type'    => 'bool'
         },
+        'ldapITDS' => {
+            'default' => 0,
+            'type'    => 'bool'
+        },
         'ldapPasswordResetAttribute' => {
             'default' => 'pwdReset',
             'type'    => 'text'
@@ -2255,6 +2266,22 @@ qr/^(?:\*\.)?(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][
             ],
             'type' => 'select'
         },
+        'passwordPolicyMinDigit' => {
+            'default' => 0,
+            'type'    => 'int'
+        },
+        'passwordPolicyMinLower' => {
+            'default' => 0,
+            'type'    => 'int'
+        },
+        'passwordPolicyMinSize' => {
+            'default' => 0,
+            'type'    => 'int'
+        },
+        'passwordPolicyMinUpper' => {
+            'default' => 0,
+            'type'    => 'int'
+        },
         'passwordResetAllowedRetries' => {
             'default' => 3,
             'type'    => 'int'
@@ -2315,6 +2342,10 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.]
             'default' => '$_oidcConnectedRP',
             'type'    => 'boolOrExpr'
         },
+        'portalDisplayPasswordPolicy' => {
+            'default' => 0,
+            'type'    => 'bool'
+        },
         'portalDisplayRegister' => {
             'default' => 1,
             'type'    => 'bool'
@@ -2609,6 +2640,10 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.]
         'restAuthUrl' => {
             'type' => 'url'
         },
+        'restClockTolerance' => {
+            'default' => 15,
+            'type'    => 'int'
+        },
         'restConfigServer' => {
             'default' => 0,
             'type'    => 'bool'

lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm

@@ -877,6 +877,11 @@ sub attributes {
             default       => '^[\w\.\-@]+$',
             documentation => 'Regular expression to validate login',
         },
+        browsersDontStorePassword => {
+            default       => 0,
+            type          => 'bool',
+            documentation => 'Avoid browsers to store users password',
+        },
         useRedirectOnError => {
             type          => 'bool',
             default       => 1,
@@ -1297,6 +1302,31 @@ sub attributes {
             type          => 'bool',
             documentation => 'Hide old password in portal',
         },
+        passwordPolicyMinSize => {
+            default       => 0,
+            type          => 'int',
+            documentation => 'Password policy: minimal size',
+        },
+        passwordPolicyMinLower => {
+            default       => 0,
+            type          => 'int',
+            documentation => 'Password policy: minimal lower characters',
+        },
+        passwordPolicyMinUpper => {
+            default       => 0,
+            type          => 'int',
+            documentation => 'Password policy: minimal upper characters',
+        },
+        passwordPolicyMinDigit => {
+            default       => 0,
+            type          => 'int',
+            documentation => 'Password policy: minimal digit characters',
+        },
+        portalDisplayPasswordPolicy => {
+            default       => 0,
+            type          => 'bool',
+            documentation => 'Display policy in password form',
+        },
 
         # SMTP server
         SMTPServer => {
@@ -1798,6 +1828,12 @@ sub attributes {
             documentation =>
               'Allow to export secret keys in REST session server',
         },
+        restClockTolerance => {
+            default => 15,
+            type    => 'int',
+            documentation =>
+              'How tolerant the REST session server will be to clock dift',
+        },
         restConfigServer => {
             default       => 0,
             type          => 'bool',
@@ -2970,6 +3006,11 @@ m{^(?:ldapi://[^/]*/?|\w[\w\-\.]*(?::\d{1,5})?|ldap(?:s|\+tls)?://\w[\w\-\.]*(?:
             type          => 'bool',
             documentation => 'Allow a user to reset his expired password',
         },
+        ldapITDS => {
+            default       => 0,
+            type          => 'bool',
+            documentation => 'Support for IBM Tivoli Directory Server',
+        },
 
         # SSL
         SSLAuthnLevel => {
@@ -3298,6 +3339,10 @@ m{^(?:ldapi://[^/]*/?|\w[\w\-\.]*(?::\d{1,5})?|ldap(?:s|\+tls)?://\w[\w\-\.]*(?:
             default       => 'lmAuth',
             documentation => 'Applications list',
         },
+        authChoiceAuthBasic => {
+            type          => 'text',
+            documentation => 'Auth module used by AuthBasic handler',
+        },
         authChoiceModules => {
             type       => 'authChoiceContainer',
             keyTest    => qr/^(\d*)?[a-zA-Z0-9_]+$/,

lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Tree.pm

@@ -85,7 +85,12 @@ sub tree {
                                     nodes => [
                                         'portalRequireOldPassword',
                                         'hideOldPassword',
-                                        'mailOnPasswordChange'
+                                        'mailOnPasswordChange',
+                                        'passwordPolicyMinSize',
+                                        'passwordPolicyMinLower',
+                                        'passwordPolicyMinUpper',
+                                        'passwordPolicyMinDigit',
+                                        'portalDisplayPasswordPolicy',
                                     ]
                                 },
                                 {
@@ -134,7 +139,7 @@ sub tree {
                         {
                             title => 'choiceParams',
                             help  => 'authchoice.html',
-                            nodes => [ 'authChoiceParam', 'authChoiceModules' ]
+                            nodes => [ 'authChoiceParam',  'authChoiceModules', 'authChoiceAuthBasic' ]
                         },
                         {
                             title => 'apacheParams',
@@ -286,7 +291,8 @@ sub tree {
                                         'ldapUsePasswordResetAttribute',
                                         'ldapPasswordResetAttribute',
                                         'ldapPasswordResetAttributeValue',
-                                        'ldapAllowResetExpiredPassword'
+                                        'ldapAllowResetExpiredPassword',
+                                        'ldapITDS'
                                     ]
                                 },
                             ]
@@ -587,9 +593,9 @@ sub tree {
                             form  => 'simpleInputContainer',
                             nodes => [
                                 'wsdlServer',           'restSessionServer',
-                                'restExportSecretKeys', 'restConfigServer',
+                                'restExportSecretKeys', 'restClockTolerance',
-                                'soapSessionServer',    'soapConfigServer',
+                                'restConfigServer',     'soapSessionServer',
-                                'exportedAttr',
+                                'soapConfigServer',     'exportedAttr',
                             ]
                         },
                         {
@@ -868,6 +874,7 @@ sub tree {
                             help => 'security.html#configure_security_settings',
                             nodes => [
                                 'userControl',
+                                'browsersDontStorePassword',
                                 'portalForceAuthn',
                                 'portalForceAuthnInterval',
                                 'key',

lemonldap-ng-manager/site/htdocs/static/forms/casSrvMetaDataNode.html

@@ -14,8 +14,8 @@
   "title": "addSrvCasPartner",
   "action": "addCasSrv",
   "icon": "plus-sign"
-}, {
+},{
   "title": "deleteEntry",
-  "icon": "plus-sign"
+  "icon": "minus-sign"
 }]
 </script>

lemonldap-ng-manager/site/htdocs/static/forms/menuApp.html

@@ -100,11 +100,11 @@
 },{
   "title": "down",
   "icon": "arrow-down"
-},{
-  "title": "deleteEntry",
-  "icon": "minus-sign"
 },{
   "title": "newApp",
   "icon": "plus-sign"
+},{
+  "title": "deleteEntry",
+  "icon": "minus-sign"
 }]
 </script>

lemonldap-ng-manager/site/htdocs/static/forms/menuCat.html

@@ -27,12 +27,12 @@
 },{
   "title": "down",
   "icon": "arrow-down"
-},{
-  "title": "deleteEntry",
-  "icon": "minus-sign"
 },{
   "title": "newApp",
   "icon": "plus-sign"
+},{
+  "title": "deleteEntry",
+  "icon": "minus-sign"
 }]
 </script>
 <!-- Uncomment this snippet to enable sub categories
@@ -43,15 +43,15 @@
 },{
   "title": "down",
   "icon": "arrow-down"
-},{
-  "title": "deleteEntry",
-  "icon": "minus-sign"
 },{
   "title": "newCat",
   "icon": "plus-sign"
 },{
   "title": "newApp",
   "icon": "plus-sign"
+},{
+  "title": "deleteEntry",
+  "icon": "minus-sign"
 }]
 </script>
 -->

lemonldap-ng-manager/site/htdocs/static/forms/samlAttribute.html

@@ -50,10 +50,10 @@
 </div>
 <script type="text/menu">
 [{
-  "title": "deleteEntry",
-  "icon": "minus-sign"
-},{
   "title": "addSamlAttribute",
   "icon": "plus-sign"
+},{
+  "title": "deleteEntry",
+  "icon": "minus-sign"
 }]
 </script>

lemonldap-ng-manager/site/htdocs/static/forms/samlIDPMetaDataNode.html

@@ -14,8 +14,8 @@
   "title": "addIDPSamlPartner",
   "action": "addSamlIDP",
   "icon": "plus-sign"
-}, {
+},{
   "title": "deleteEntry",
-  "icon": "plus-sign"
+  "icon": "minus-sign"
 }]
 </script>

lemonldap-ng-manager/site/htdocs/static/languages/ar.json

@@ -54,6 +54,7 @@
 "authAndUserdb":"الترخيص وقاعدة بيانات المستخدم",
 "authChain":"سلسلة إثبات الهوية",
 "authChoice":"اختيار إثبات الهوية",
+"authChoiceAuthBasic":"AuthBasic handler parameter",
 "authChoiceModules":"الوحدات المسموح بها",
 "authChoiceParam":"معايير URL",
 "authentication":"وحدة إثبات الهوية",
@@ -94,6 +95,7 @@
 "badVariableName":"اسم المتغيرة خاطئ",
 "blackList":"القائمة السوداء",
 "browse":"تصفح",
+"browsersDontStorePassword":"Avoid browsers to store users password",
 "browserIdAuthnLevel":"مستوى إثبات الهوية",
 "browserIdAutoLogin":"تسجيل الدخول التلقائي",
 "browserIdBackgroundColor":"لون الخلفية",
@@ -385,6 +387,7 @@
 "ldapGroupObjectClass":"أوبجكت كلاس",
 "ldapGroupRecursive":"تكراري",
 "ldapGroups":"المجموعات",
+"ldapITDS":"IBM Tivoli DS support",
 "ldapParams":"معايير إل‌داب",
 "ldapPassword":"كلمة المرور",
 "ldapPasswordResetAttribute":"إعادة تعيين السمة",
@@ -630,6 +633,10 @@
 "password":"كلمة المرور",
 "passwordDB":"وحدة  كلمة المرور",
 "passwordManagement":"إدارة كلمة المرور",
+"passwordPolicyMinSize":"Minimal size",
+"passwordPolicyMinLower":"Minimal lower characters",
+"passwordPolicyMinUpper":"Minimal upper characters",
+"passwordPolicyMinDigit":"Minimal digit characters",
 "passwordResetAllowedRetries":"Max reset password retries",
 "persistent":"الثابتة",
 "persistentSessions":"الجلسات الثابتة",
@@ -648,6 +655,7 @@
 "portalDisplayChangePassword":"تغيير كلمة المرور",
 "portalDisplayLoginHistory":"سجل تسجيل الدخول",
 "portalDisplayLogout":"تسجيل الخروج",
+"portalDisplayPasswordPolicy":"Display policy in password form",
 "portalDisplayOidcConsents":"OIDC Consents",
 "portalDisplayRegister":"تسجيل حساب جديد",
 "portalDisplayResetPassword":"إعادة تعيين كلمة المرور",
@@ -738,6 +746,7 @@
 "restPwdConfirmUrl":"عنوان اليو آر إل لتأكيد كلمة المرور",
 "restPwdModifyUrl":"عنوان اليو آر إل لتغيير كلمة المرور",
 "restSessionServer":"خادم جلسة ريست",
+"restClockTolerance":"REST server clock tolerance",
 "restUserDBUrl":"عنوان يو آر إل لبيانات المستخدم",
 "returnUrl":"إرجاع اليو آر إل",
 "rp":"Relying Party",
@@ -1054,4 +1063,4 @@
 "samlRelayStateTimeout":"تناوب حالة مهلة الجلسة ",
 "samlUseQueryStringSpecific":"استخدام أسلوب query_string المعين",
 "samlOverrideIDPEntityID":"Override Entity ID when acting as IDP"
-}
+}

lemonldap-ng-manager/site/htdocs/static/languages/de.json

@@ -54,6 +54,7 @@
 "authAndUserdb":"Authz and user DB",
 "authChain":"Authentication chain",
 "authChoice":"Authentication choice",
+"authChoiceAuthBasic":"AuthBasic handler parameter",
 "authChoiceModules":"Allowed modules",
 "authChoiceParam":"URL parameter",
 "authentication":"Authentication module",
@@ -94,6 +95,7 @@
 "badVariableName":"Bad variable name",
 "blackList":"Black list",
 "browse":"Browse",
+"browsersDontStorePassword":"Avoid browsers to store users password",
 "browserIdAuthnLevel":"Authentication level",
 "browserIdAutoLogin":"Automatic login",
 "browserIdBackgroundColor":"Background color",
@@ -384,6 +386,7 @@
 "ldapGroupObjectClass":"Object class",
 "ldapGroupRecursive":"Recursive",
 "ldapGroups":"Groups",
+"ldapITDS":"IBM Tivoli DS support",
 "ldapParams":"LDAP parameters",
 "ldapPassword":"Password",
 "ldapPasswordResetAttribute":"Reset attribute",
@@ -629,6 +632,10 @@
 "password":"Password",
 "passwordDB":"Password module",
 "passwordManagement":"Password management",
+"passwordPolicyMinSize":"Minimal size",
+"passwordPolicyMinLower":"Minimal lower characters",
+"passwordPolicyMinUpper":"Minimal upper characters",
+"passwordPolicyMinDigit":"Minimal digit characters",
 "passwordResetAllowedRetries":"Max reset password retries",
 "persistent":"Persistent",
 "persistentSessions":"Persistent sessions",
@@ -647,6 +654,7 @@
 "portalDisplayChangePassword":"Password change",
 "portalDisplayLoginHistory":"Login History",
 "portalDisplayLogout":"Logout",
+"portalDisplayPasswordPolicy":"Display policy in password form",
 "portalDisplayOidcConsents":"OIDC Consents",
 "portalDisplayRegister":"Register new account",
 "portalDisplayResetPassword":"Reset password",
@@ -737,6 +745,7 @@
 "restPwdConfirmUrl":"Password confirmation URL",
 "restPwdModifyUrl":"Password change URL",
 "restSessionServer":"REST session server",
+"restClockTolerance":"REST server clock tolerance",
 "restUserDBUrl":"User data URL",
 "returnUrl":"Return URL",
 "rp":"Relying Party",
@@ -1053,4 +1062,4 @@
 "samlRelayStateTimeout":"RelayState session timeout",
 "samlUseQueryStringSpecific":"Use specific query_string method",
 "samlOverrideIDPEntityID":"Override Entity ID when acting as IDP"
-}
+}

lemonldap-ng-manager/site/htdocs/static/languages/en.json

@@ -54,6 +54,7 @@
 "authAndUserdb":"Authz and user DB",
 "authChain":"Authentication chain",
 "authChoice":"Authentication choice",
+"authChoiceAuthBasic":"AuthBasic handler parameter",
 "authChoiceModules":"Allowed modules",
 "authChoiceParam":"URL parameter",
 "authentication":"Authentication module",
@@ -94,6 +95,7 @@
 "badVariableName":"Bad variable name",
 "blackList":"Black list",
 "browse":"Browse",
+"browsersDontStorePassword":"Avoid browsers to store users password",
 "browserIdAuthnLevel":"Authentication level",
 "browserIdAutoLogin":"Automatic login",
 "browserIdBackgroundColor":"Background color",
@@ -384,6 +386,7 @@
 "ldapGroupObjectClass":"Object class",
 "ldapGroupRecursive":"Recursive",
 "ldapGroups":"Groups",
+"ldapITDS":"IBM Tivoli DS support",
 "ldapParams":"LDAP parameters",
 "ldapPassword":"Password",
 "ldapPasswordResetAttribute":"Reset attribute",
@@ -629,6 +632,10 @@
 "password":"Password",
 "passwordDB":"Password module",
 "passwordManagement":"Password management",
+"passwordPolicyMinSize": "Minimal size",
+"passwordPolicyMinLower": "Minimal lower characters",
+"passwordPolicyMinUpper": "Minimal upper characters",
+"passwordPolicyMinDigit": "Minimal digit characters",
 "passwordResetAllowedRetries":"Max reset password retries",
 "persistent":"Persistent",
 "persistentSessions":"Persistent sessions",
@@ -647,6 +654,7 @@
 "portalDisplayChangePassword":"Password change",
 "portalDisplayLoginHistory":"Login History",
 "portalDisplayLogout":"Logout",
+"portalDisplayPasswordPolicy": "Display policy in password form",
 "portalDisplayOidcConsents":"OIDC Consents",
 "portalDisplayRegister":"Register new account",
 "portalDisplayResetPassword":"Reset password",
@@ -737,6 +745,7 @@
 "restPwdConfirmUrl":"Password confirmation URL",
 "restPwdModifyUrl":"Password change URL",
 "restSessionServer":"REST session server",
+"restClockTolerance":"REST server clock tolerance",
 "restUserDBUrl":"User data URL",
 "returnUrl":"Return URL",
 "rp":"Relying Party",

lemonldap-ng-manager/site/htdocs/static/languages/fr.json

@@ -54,6 +54,7 @@
 "authAndUserdb":"Authent. et BD utilisateurs",
 "authChain":"Chaîne d'authentification",
 "authChoice":"Choix d'authentification",
+"authChoiceAuthBasic":"Paramètre du handler AuthBasic",
 "authChoiceModules":"Modules autorisés",
 "authChoiceParam":"Paramètre de l'URL",
 "authentication":"Module d'authentification",
@@ -94,6 +95,7 @@
 "badVariableName":"Mauvais nom de variable",
 "blackList":"Liste noire",
 "browse":"Naviguer",
+"browsersDontStorePassword":"Interdire aux navigateurs de sauvegarder le mot de passe",
 "browserIdAuthnLevel":"Niveau d'authentification",
 "browserIdAutoLogin":"Authentification automatique",
 "browserIdBackgroundColor":"Couleur d'arrière plan",
@@ -384,6 +386,7 @@
 "ldapGroupObjectClass":"Classe d'objet",
 "ldapGroupRecursive":"Récursif",
 "ldapGroups":"Groupes",
+"ldapITDS":"Support IBM Tivoli DS",
 "ldapParams":"Paramètres LDAP",
 "ldapPassword":"Mot de passe",
 "ldapPasswordResetAttribute":"Attribut de réinitialisation",
@@ -629,6 +632,10 @@
 "password":"Mot-de-passe",
 "passwordDB":"Module de mot de passe",
 "passwordManagement":"Gestion des mots de passe",
+"passwordPolicyMinSize": "Taille minimale",
+"passwordPolicyMinLower": "Minimum de minuscules",
+"passwordPolicyMinUpper": "Minimum de majuscules",
+"passwordPolicyMinDigit": "Minimum de chiffres",
 "passwordResetAllowedRetries":"Nombre d'essais pour réinitialiser le mot de passe",
 "persistent":"Persistantes",
 "persistentSessions":"Sessions persistantes",
@@ -647,6 +654,7 @@
 "portalDisplayChangePassword":"Changement de mot de passe",
 "portalDisplayLoginHistory":"Historique des connexions",
 "portalDisplayLogout":"Déconnexion",
+"portalDisplayPasswordPolicy": "Afficher la politique dans le formulaire de mot de passe",
 "portalDisplayOidcConsents":"Accords OIDC",
 "portalDisplayRegister":"Création d'un nouveau compte",
 "portalDisplayResetPassword":"Réinitialisation de mot de passe",
@@ -686,7 +694,7 @@
 "radius2fActivation":"Activation",
 "radius2fServer":"Nom d'hôte du serveur",
 "radius2fSecret":"Secret partagé",
-"radius2fUsernameSessionKey":"Clé de session contenant le login",
+"radius2fUsernameSessionKey":"Clef de session contenant le login",
 "radius2fTimeout":"Délai maximum d'authentification",
 "radius2fAuthnLevel":"Niveau d'authentification",
 "radius2fLogo":"Logo",
@@ -737,6 +745,7 @@
 "restPwdConfirmUrl":"URL de confirmation de mot-de-passe",
 "restPwdModifyUrl":"URL de modification de mot-de-passe",
 "restSessionServer":"Serveur de sessions REST",
+"restClockTolerance":"Tolérance aux écarts d'horloge",
 "restUserDBUrl":"URL de données utilisateurs",
 "returnUrl":"URL de retour",
 "rp":"Client",

lemonldap-ng-manager/site/htdocs/static/languages/it.json

@@ -54,6 +54,7 @@
 "authAndUserdb":"Authz e utente DB",
 "authChain":"Catena di autenticazione",
 "authChoice":"Scelta di autenticazione",
+"authChoiceAuthBasic":"AuthBasic handler parameter",
 "authChoiceModules":"Moduli consentiti",
 "authChoiceParam":"Parametri URL",
 "authentication":"Modulo di autenticazione",
@@ -94,6 +95,7 @@
 "badVariableName":"Nome variabile errato",
 "blackList":"Black list",
 "browse":"Naviga",
+"browsersDontStorePassword":"Avoid browsers to store users password",
 "browserIdAuthnLevel":"Livello di autenticazione",
 "browserIdAutoLogin":"Login automatico",
 "browserIdBackgroundColor":"Colore di sfondo",
@@ -384,6 +386,7 @@
 "ldapGroupObjectClass":"Classe oggetto",
 "ldapGroupRecursive":"Ricorsivo",
 "ldapGroups":"Gruppi",
+"ldapITDS":"IBM Tivoli DS support",
 "ldapParams":"Parametri LDAP",
 "ldapPassword":"Password",
 "ldapPasswordResetAttribute":"Reset attributo",
@@ -629,6 +632,10 @@
 "password":"Password",
 "passwordDB":"Modulo password",
 "passwordManagement":"Gestione password",
+"passwordPolicyMinSize":"Minimal size",
+"passwordPolicyMinLower":"Minimal lower characters",
+"passwordPolicyMinUpper":"Minimal upper characters",
+"passwordPolicyMinDigit":"Minimal digit characters",
 "passwordResetAllowedRetries":"Max tentativi di reimpostazione della password",
 "persistent":"Persistente",
 "persistentSessions":"Sessioni persistenti",
@@ -647,6 +654,7 @@
 "portalDisplayChangePassword":"Cambio password",
 "portalDisplayLoginHistory":"Cronologia login",
 "portalDisplayLogout":"Logout",
+"portalDisplayPasswordPolicy":"Display policy in password form",
 "portalDisplayOidcConsents":"Consensi OIDC",
 "portalDisplayRegister":"Registra nuovo account",
 "portalDisplayResetPassword":"Reimposta password",
@@ -684,7 +692,7 @@
 "purgeNotification":"Elimina definitivamente la notifica",
 "radius2f":"Radius second factor",
 "radius2fActivation":"Attivazione",
-"radius2fServer":"Server hostname",
+"radius2fServer":"Nome host del server",
 "radius2fSecret":"Segreto condiviso",
 "radius2fUsernameSessionKey":"Session key containing login",
 "radius2fTimeout":"Authentication timeout",
@@ -737,6 +745,7 @@
 "restPwdConfirmUrl":"URL di conferma password",
 "restPwdModifyUrl":"URL di modifica password",
 "restSessionServer":"Server di sessione REST",
+"restClockTolerance":"REST server clock tolerance",
 "restUserDBUrl":"URL dei dati utente",
 "returnUrl":"URL di ritorno",
 "rp":"Parte facente affidamento",
@@ -1053,4 +1062,4 @@
 "samlRelayStateTimeout":"Timeout di sessione di RelayState",
 "samlUseQueryStringSpecific":"Utilizza il metodo specifico query_string",
 "samlOverrideIDPEntityID":"Sostituisci l'ID entità quando agisce come IDP"
-}
+}

lemonldap-ng-manager/site/htdocs/static/languages/vi.json

@@ -54,6 +54,7 @@
 "authAndUserdb":"Authz và user DB",
 "authChain":"Chuỗi xác thực",
 "authChoice":"Lựa chọn xác thực",
+"authChoiceAuthBasic":"AuthBasic handler parameter",
 "authChoiceModules":"Các mô-đun được phép",
 "authChoiceParam":"Tham số URL",
 "authentication":"Mô đun xác thực",
@@ -94,6 +95,7 @@
 "badVariableName":"Tên biến không hợp lệ",
 "blackList":"Danh sách đen",
 "browse":"Duyệt",
+"browsersDontStorePassword":"Avoid browsers to store users password",
 "browserIdAuthnLevel":"Mức xác thực",
 "browserIdAutoLogin":"Đăng nhập tự động",
 "browserIdBackgroundColor":"Màu nền",
@@ -384,6 +386,7 @@
 "ldapGroupObjectClass":"Lớp đối tượng",
 "ldapGroupRecursive":"Đệ quy",
 "ldapGroups":"Nhóm",
+"ldapITDS":"IBM Tivoli DS support",
 "ldapParams":"Thông số LDAP",
 "ldapPassword":"Mật khẩu",
 "ldapPasswordResetAttribute":"Đặt lại thuộc tính",
@@ -629,6 +632,10 @@
 "password":"Mật khẩu",
 "passwordDB":"Mô-đun mật khẩu",
 "passwordManagement":"Quản lý mật khẩu",
+"passwordPolicyMinSize":"Minimal size",
+"passwordPolicyMinLower":"Minimal lower characters",
+"passwordPolicyMinUpper":"Minimal upper characters",
+"passwordPolicyMinDigit":"Minimal digit characters",
 "passwordResetAllowedRetries":"Max reset password retries",
 "persistent":"Duy trì",
 "persistentSessions":"Duy trì phiên",
@@ -647,6 +654,7 @@
 "portalDisplayChangePassword":"Thay đổi mật khẩu",
 "portalDisplayLoginHistory":"Lịch sử đăng nhập",
 "portalDisplayLogout":"Đăng xuất",
+"portalDisplayPasswordPolicy":"Display policy in password form",
 "portalDisplayOidcConsents":"OIDC Consents",
 "portalDisplayRegister":"Đăng ký tài khoản mới",
 "portalDisplayResetPassword":"Đặt lại mật khẩu",
@@ -737,6 +745,7 @@
 "restPwdConfirmUrl":"URL xác nhận mật khẩu",
 "restPwdModifyUrl":"URL thay đổi mật khẩu",
 "restSessionServer":"Máy chủ phiên REST",
+"restClockTolerance":"REST server clock tolerance",
 "restUserDBUrl":"URL dữ liệu người dùng",
 "returnUrl":"Trả lại URL",
 "rp":"Relying Party",
@@ -1053,4 +1062,4 @@
 "samlRelayStateTimeout":"Thời gian hết hạn phiên RelayState ",
 "samlUseQueryStringSpecific":"Sử dụng phương pháp query_string cụ thể",
 "samlOverrideIDPEntityID":"Override Entity ID when acting as IDP"
-}
+}

lemonldap-ng-manager/site/htdocs/static/languages/zh.json

@@ -54,6 +54,7 @@
 "authAndUserdb":"授权和用户数据库",
 "authChain":"认证chain",
 "authChoice":"认证方式选择",
+"authChoiceAuthBasic":"AuthBasic handler parameter",
 "authChoiceModules":"允许的模块",
 "authChoiceParam":"URL 参数",
 "authentication":"认证模块",
@@ -94,6 +95,7 @@
 "badVariableName":"无效的 variable 名称",
 "blackList":"黑名单",
 "browse":"浏览",
+"browsersDontStorePassword":"Avoid browsers to store users password",
 "browserIdAuthnLevel":"认证等级",
 "browserIdAutoLogin":"自动登录",
 "browserIdBackgroundColor":"背景颜色",
@@ -384,6 +386,7 @@
 "ldapGroupObjectClass":"Object class",
 "ldapGroupRecursive":"Recursive",
 "ldapGroups":"Groups",
+"ldapITDS":"IBM Tivoli DS support",
 "ldapParams":"LDAP parameters",
 "ldapPassword":"密码",
 "ldapPasswordResetAttribute":"Reset attribute",
@@ -629,6 +632,10 @@
 "password":"Password",
 "passwordDB":"Password module",
 "passwordManagement":"Password management",
+"passwordPolicyMinSize":"Minimal size",
+"passwordPolicyMinLower":"Minimal lower characters",
+"passwordPolicyMinUpper":"Minimal upper characters",
+"passwordPolicyMinDigit":"Minimal digit characters",
 "passwordResetAllowedRetries":"Max reset password retries",
 "persistent":"Persistent",
 "persistentSessions":"Persistent sessions",
@@ -647,6 +654,7 @@
 "portalDisplayChangePassword":"Password change",
 "portalDisplayLoginHistory":"Login History",
 "portalDisplayLogout":"Logout",
+"portalDisplayPasswordPolicy":"Display policy in password form",
 "portalDisplayOidcConsents":"OIDC Consents",
 "portalDisplayRegister":"Register new account",
 "portalDisplayResetPassword":"Reset password",
@@ -737,6 +745,7 @@
 "restPwdConfirmUrl":"Password confirmation URL",
 "restPwdModifyUrl":"Password change URL",
 "restSessionServer":"REST session server",
+"restClockTolerance":"REST server clock tolerance",
 "restUserDBUrl":"User data URL",
 "returnUrl":"Return URL",
 "rp":"Relying Party",
@@ -1053,4 +1062,4 @@
 "samlRelayStateTimeout":"RelayState session timeout",
 "samlUseQueryStringSpecific":"Use specific query_string method",
 "samlOverrideIDPEntityID":"Override Entity ID when acting as IDP"
-}
+}

lemonldap-ng-portal/MANIFEST

@@ -258,6 +258,7 @@ site/htdocs/static/common/en.png
 site/htdocs/static/common/es.png
 site/htdocs/static/common/favicon.ico
 site/htdocs/static/common/fi.png
+site/htdocs/static/common/fonts/password.ttf
 site/htdocs/static/common/fr.png
 site/htdocs/static/common/icons/application_cascade.png
 site/htdocs/static/common/icons/arrow_refresh.png
@@ -397,6 +398,7 @@ site/templates/bootstrap/openidform.tpl
 site/templates/bootstrap/openIdPol.tpl
 site/templates/bootstrap/openIdTrust.tpl
 site/templates/bootstrap/password.tpl
+site/templates/bootstrap/passwordpolicy.tpl
 site/templates/bootstrap/public/test.tpl
 site/templates/bootstrap/pwdWillExpire.tpl
 site/templates/bootstrap/redirect.tpl
@@ -554,6 +556,7 @@ t/42-Register-Demo.t
 t/42-Register-LDAP.t
 t/42-Register-Security.t
 t/43-MailPasswordReset-Choice.t
+t/43-MailPasswordReset-Combination-LDAP.t
 t/43-MailPasswordReset-DBI.t
 t/43-MailPasswordReset-LDAP.t
 t/43-MailPasswordReset-with-captcha.t

lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/Kerberos.pm

@@ -25,7 +25,7 @@ sub init {
     my $self = shift;
     my $file;
     unless ( $file = $self->conf->{krbKeytab} ) {
-        $self->error('Keytab not defined');
+        $self->logger->error('Keytab not defined');
         return 0;
     }
     $self->keytab("FILE:$file");

lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/LDAP.pm

@@ -103,6 +103,12 @@ sub authLogout {
 
 sub getForm {
     my ( $self, $req ) = @_;
+    $req->tplParams->{DISPLAY_PPOLICY} =
+      $self->conf->{portalDisplayPasswordPolicy};
+    $req->tplParams->{PPOLICY_MINSIZE}  = $self->conf->{passwordPolicyMinSize};
+    $req->tplParams->{PPOLICY_MINLOWER} = $self->conf->{passwordPolicyMinLower};
+    $req->tplParams->{PPOLICY_MINUPPER} = $self->conf->{passwordPolicyMinUpper};
+    $req->tplParams->{PPOLICY_MINDIGIT} = $self->conf->{passwordPolicyMinDigit};
     if (
            $req->{error} == PE_PP_CHANGE_AFTER_RESET
         or $req->{error} == PE_PP_MUST_SUPPLY_OLD_PASSWORD

lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/SAML.pm

@@ -11,6 +11,7 @@ use Lemonldap::NG::Portal::Main::Constants qw(
   PE_SAML_SIGNATURE_ERROR
   PE_SAML_SLO_ERROR
   PE_SAML_SSO_ERROR
+  PE_ISSUERMISSINGREQATTR
   PE_SAML_UNKNOWN_ENTITY
   PE_SAML_SERVICE_NOT_ALLOWED
   PE_UNAUTHORIZEDPARTNER
@@ -612,7 +613,7 @@ sub run {
                         $self->logger->error(
 "Session key $_ is required to set SAML $name attribute"
                         );
-                        return PE_SAML_SSO_ERROR;
+                        return PE_ISSUERMISSINGREQATTR;
                     }
                     else {
                         $self->logger->debug(

lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/Net/LDAP.pm

@@ -379,14 +379,29 @@ sub userModifyPassword {
         }
         $self->{portal}
           ->logger->debug( 'Modification return code: ' . $mesg->code );
+        $self->{portal}
+          ->logger->debug( 'Modification return error: ' . $mesg->error );
+
+        # Manage specific errors for IBM Tivoli DS
+        if ( $self->{conf}->{ldapITDS} ) {
+            my $itds_code = $self->getITDSError($mesg);
+            return $itds_code unless ( $itds_code == PE_PASSWORD_OK );
+        }
+
+        # Manage specific errors for Active Directory
+        if ($ad) {
+            return PE_PP_INSUFFICIENT_PASSWORD_QUALITY
+              if ( $mesg->code == 53 );
+            return PE_PP_PASSWORD_MOD_NOT_ALLOWED
+              if ( $mesg->code == 19 );
+        }
+
+        # Standard errors
         return PE_WRONGMANAGERACCOUNT
           if ( $mesg->code == 50 || $mesg->code == 8 );
-        return PE_PP_INSUFFICIENT_PASSWORD_QUALITY
-          if ( $mesg->code == 53 && $ad );
-        return PE_PP_PASSWORD_MOD_NOT_ALLOWED
-          if ( $mesg->code == 19 && $ad );
         return PE_LDAPERROR unless ( $mesg->code == 0 );
-        $self->{portal}->userLogger->notice("Password changed $dn");
+
+        $self->{portal}->userLogger->notice("Password changed for $dn");
 
         # Rebind as manager for next LDAP operations if we were bound as user
         $self->bind() if $asUser;
@@ -725,4 +740,30 @@ sub convertSec {
     return ( $day, $hrs, $min, $sec );
 }
 
+## @method int getITDSError(Net::LDAP::Message mesg)
+# Check error message to return according error code
+# @param mesg Modification return message
+# @return portal error code
+sub getITDSError {
+    my ( $self, $mesg ) = @_;
+
+    return PE_PP_MUST_SUPPLY_OLD_PASSWORD
+      if ( $mesg->code == 53 && $mesg->error =~ /Must supply old password/i );
+    return PE_PP_CHANGE_AFTER_RESET
+      if ( $mesg->code == 53
+        && $mesg->error =~ /Password must be changed after reset/i );
+    return PE_PP_PASSWORD_MOD_NOT_ALLOWED
+      if ( $mesg->code == 53
+        && $mesg->error =~ /Password may not be modified/i );
+    return PE_PP_PASSWORD_TOO_YOUNG
+      if ( $mesg->code == 19 && $mesg->error =~ /Password too young/i );
+    return PE_PP_PASSWORD_TOO_SHORT
+      if ( $mesg->code == 19 && $mesg->error =~ /Password too short/i );
+    return PE_PP_PASSWORD_IN_HISTORY
+      if ( $mesg->code == 19 && $mesg->error =~ /Password in History/i );
+    return PE_PP_INSUFFICIENT_PASSWORD_QUALITY if ( $mesg->code == 19 );
+
+    return PE_PASSWORD_OK;
+}
+
 1;

lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Constants.pm

@@ -99,6 +99,7 @@ use constant {
     PE_OID_SERVICE_NOT_ALLOWED           => 91,
     PE_GET_SERVICE_NOT_ALLOWED           => 92,
     PE_IMPERSONATION_SERVICE_NOT_ALLOWED => 93,
+    PE_ISSUERMISSINGREQATTR              => 94,
 };
 
 # EXPORTER PARAMETERS
@@ -127,6 +128,7 @@ our @EXPORT_OK = qw( PE_SENDRESPONSE PE_INFO PE_REDIRECT PE_DONE PE_OK
   PE_UNAUTHORIZEDPARTNER PE_RENEWSESSION PE_IDPCHOICE PE_WAIT PE_MUSTAUTHN
   PE_MUSTHAVEMAIL PE_SAML_SERVICE_NOT_ALLOWED PE_OIDC_SERVICE_NOT_ALLOWED
   PE_OID_SERVICE_NOT_ALLOWED PE_GET_SERVICE_NOT_ALLOWED PE_IMPERSONATION_SERVICE_NOT_ALLOWED
+  PE_ISSUERMISSINGREQATTR
 );
 our %EXPORT_TAGS = ( 'all' => [ @EXPORT_OK, 'import' ], );
 

lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Display.pm

@@ -292,6 +292,7 @@ sub display {
             AUTH_ERROR_TYPE       => $req->error_type,
             AUTH_URL              => $req->{data}->{_url},
             LOGIN                 => $login,
+            DONT_STORE_PASSWORD   => $self->conf->{browsersDontStorePassword},
             CHECK_LOGINS          => $self->conf->{portalCheckLogins},
             ASK_LOGINS            => $req->param('checkLogins') || 0,
             DISPLAY_RESETPASSWORD => $self->conf->{portalDisplayResetPassword},

lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Process.pm

@@ -77,7 +77,7 @@ sub controlUrl {
                 $req->set_param( 'confirm', $c );
             }
             else {
-                $self->logger->notice('Confirmation to old, refused');
+                $self->logger->notice('Confirmation too old, refused');
                 $req->set_param( 'confirm', 0 );
             }
         }
@@ -93,7 +93,7 @@ sub controlUrl {
         else {
             if ( $url =~ m#[^A-Za-z0-9\+/=]# ) {
                 $self->userLogger->error(
-                    "Value must be in BASE64 (param: url | value: $url)");
+                    "Value must be BASE64 encoded (param: url | value: $url)");
                 return PE_BADURL;
             }
             $req->{urldc} = decode_base64($url);

lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Password/Base.pm

@@ -54,44 +54,8 @@ sub _modifyPassword {
           unless ( $self->confirm( $req, $req->data->{oldpassword} ) );
     }
 
-    # Min size
+    my $cpq = $self->checkPasswordQuality( $req->data->{newpassword} );
-    if ( $self->conf->{passwordPolicyMinSize}
+    return $cpq unless ( $cpq == PE_OK );
-        and length( $req->data->{newpassword} ) <
-        $self->conf->{passwordPolicyMinSize} )
-    {
-        $self->logger->error("Password too short");
-        return PE_PP_PASSWORD_TOO_SHORT;
-    }
-
-    # Min lower
-    if ( $self->conf->{passwordPolicyMinLower} ) {
-        my $lower = 0;
-        $lower++ while ( $req->data->{newpassword} =~ m/\p{lowercase}/g );
-        if ( $lower < $self->conf->{passwordPolicyMinLower} ) {
-            $self->logger->error("Password has not enough lower characters");
-            return PE_PP_INSUFFICIENT_PASSWORD_QUALITY;
-        }
-    }
-
-    # Min upper
-    if ( $self->conf->{passwordPolicyMinUpper} ) {
-        my $upper = 0;
-        $upper++ while ( $req->data->{newpassword} =~ m/\p{uppercase}/g );
-        if ( $upper < $self->conf->{passwordPolicyMinUpper} ) {
-            $self->logger->error("Password has not enough upper characters");
-            return PE_PP_INSUFFICIENT_PASSWORD_QUALITY;
-        }
-    }
-
-    # Min digit
-    if ( $self->conf->{passwordPolicyMinDigit} ) {
-        my $digit = 0;
-        $digit++ while ( $req->data->{newpassword} =~ m/\d/g );
-        if ( $digit < $self->conf->{passwordPolicyMinDigit} ) {
-            $self->logger->error("Password has not enough digit characters");
-            return PE_PP_INSUFFICIENT_PASSWORD_QUALITY;
-        }
-    }
 
     # Call password package
     my $res = $self->modifyPassword( $req, $req->data->{newpassword} );
@@ -126,4 +90,48 @@ sub _modifyPassword {
     return $res;
 }
 
+sub checkPasswordQuality {
+    my ( $self, $password ) = @_;
+
+    # Min size
+    if ( $self->conf->{passwordPolicyMinSize}
+        and length($password) < $self->conf->{passwordPolicyMinSize} )
+    {
+        $self->logger->error("Password too short");
+        return PE_PP_PASSWORD_TOO_SHORT;
+    }
+
+    # Min lower
+    if ( $self->conf->{passwordPolicyMinLower} ) {
+        my $lower = 0;
+        $lower++ while ( $password =~ m/\p{lowercase}/g );
+        if ( $lower < $self->conf->{passwordPolicyMinLower} ) {
+            $self->logger->error("Password has not enough lower characters");
+            return PE_PP_INSUFFICIENT_PASSWORD_QUALITY;
+        }
+    }
+
+    # Min upper
+    if ( $self->conf->{passwordPolicyMinUpper} ) {
+        my $upper = 0;
+        $upper++ while ( $password =~ m/\p{uppercase}/g );
+        if ( $upper < $self->conf->{passwordPolicyMinUpper} ) {
+            $self->logger->error("Password has not enough upper characters");
+            return PE_PP_INSUFFICIENT_PASSWORD_QUALITY;
+        }
+    }
+
+    # Min digit
+    if ( $self->conf->{passwordPolicyMinDigit} ) {
+        my $digit = 0;
+        $digit++ while ( $password =~ m/\d/g );
+        if ( $digit < $self->conf->{passwordPolicyMinDigit} ) {
+            $self->logger->error("Password has not enough digit characters");
+            return PE_PP_INSUFFICIENT_PASSWORD_QUALITY;
+        }
+    }
+
+    return PE_OK;
+}
+
 1;

lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/Impersonation.pm

@@ -132,6 +132,7 @@ sub run {
         my $separator = $self->{conf}->{multiValuesSeparator};
 
         ## GROUPS
+        $realSession->{$spg} ||= '';
         my @spoofGrps = split /\Q$separator/, $spoofSession->{groups};
         my @realGrps  = split /\Q$separator/, $realSession->{$spg};
 

lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/MailPasswordReset.pm

@@ -436,6 +436,13 @@ sub changePwd {
         }
     }
 
+    # Check password quality
+    require Lemonldap::NG::Portal::Password::Base;
+    my $cpq =
+      $self->Lemonldap::NG::Portal::Password::Base::checkPasswordQuality(
+        $req->data->{newpassword} );
+    return $cpq unless ( $cpq == PE_OK );
+
     # Modify the password TODO: change this
     # Populate $req->{user} for logging purpose
     my $tmp = $self->conf->{portalRequireOldPassword};
@@ -533,6 +540,11 @@ sub display {
         DISPLAY_CONFIRMMAILSENT => 0,
         DISPLAY_MAILSENT        => 0,
         DISPLAY_PASSWORD_FORM   => 0,
+        DISPLAY_PPOLICY         => $self->conf->{portalDisplayPasswordPolicy},
+        PPOLICY_MINSIZE         => $self->conf->{passwordPolicyMinSize},
+        PPOLICY_MINLOWER        => $self->conf->{passwordPolicyMinLower},
+        PPOLICY_MINUPPER        => $self->conf->{passwordPolicyMinUpper},
+        PPOLICY_MINDIGIT        => $self->conf->{passwordPolicyMinDigit},
     );
     if ( $req->data->{mailToken}
         and

lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm

@@ -213,8 +213,8 @@ sub newSession {
         my $t;
         if ( $t =
                 $self->conf->{cipher}->decrypt($s)
-            and $t <= time
+            and $t <= time + $self->conf->{restClockTolerance}
-            and $t > time - 15 )
+            and $t > time - $self->conf->{restClockTolerance} )
         {
             $force = 1;
         }
@@ -273,7 +273,7 @@ sub newAuthSession {
     $req->data->{password} = $req->param('password');
     $req->steps( [
             @{ $self->p->beforeAuth },
-            qw(getUser authenticate setAuthSessionInfo),
+            qw(getUser extractFormInfo authenticate setAuthSessionInfo),
             @{ $self->p->betweenAuthAndData },
             $self->p->sessionData,
             @{ $self->p->afterData },
@@ -308,8 +308,8 @@ sub updateSession {
         my $t;
         if ( $t =
                 $self->conf->{cipher}->decrypt($s)
-            and $t <= time
+            and $t <= time + $self->conf->{restClockTolerance}
-            and $t > time - 30 )
+            and $t > time - $self->conf->{restClockTolerance} )
         {
             $force = 1;
         }

lemonldap-ng-portal/site/htdocs/static/bootstrap/css/styles.css

@@ -163,3 +163,15 @@ div.oidc_consent_message > ul {
 .progress-bar-animated {
   width: 100%;
 }
+
+input.key {
+  font-family: 'password';
+  width: 100px;  
+}
+
+@font-face {
+  font-family: 'password';
+  /*font-style: normal;*/
+  /*font-weight: 400;*/
+  src: url(/static/common/fonts/password.ttf);
+}

lemonldap-ng-portal/site/htdocs/static/bootstrap/css/styles.min.css

@@ -1 +1 @@
-html,body{height:100%;background:radial-gradient(circle at 50% 0,#fff 0,#ddd 100%) no-repeat scroll 0 0 #ddd}#wrap{min-height:100%;height:auto;margin:0 auto -80px;padding:20px 0 80px}#footer{height:80px;background-color:#fff;background-color:rgba(255,255,255,0.9);text-align:center;padding-top:10px;overflow:hidden}#header img{background-color:#fff;background-color:rgba(255,255,255,0.8);margin-bottom:20px}.card,.navbar-light{background-color:#fff;background-color:rgba(255,255,255,0.9);background-image:none}.login,.password{text-align:center;padding:20px}div.form{margin:0 auto;max-width:330px}div.actions{margin:10px 0 0 0}div.actions a{margin-top:10px}.buttons{text-align:center;margin:10px 0 0 0;cursor:pointer}.btn{white-space:normal}.btn span.fa{padding-right:8px}li.ui-state-active{background-color:#fafafa;background-color:rgba(250,250,250,0.9)}#appslist,#password,#loginHistory,#logout,#oidcConsents{margin-top:20px}div.category{margin:10px 0;cursor:grab}div.application{margin:5px 0;overflow:hidden}div.application a,div.application a:hover{text-decoration:none}p.notifCheck label{margin-left:5px;margin-top:3px;display:inline-block}img.langicon{cursor:pointer}button.idploop{max-width:300px}button.idploop img{max-height:30px}div.oidc_consent_message>ul{text-align:left;list-style:circle}@media(min-width:768px){div.application{height:80px}div.application h4.appname{margin:0}#wrap{margin:0 auto -60px}#footer{height:60px}}.hiddenFrame{border:0;display:hidden;margin:0}.noborder{border:0}.max{width:100%}.link{cursor:pointer}.nodecor:hover,.nodecor:active.nodecor:focus{text-decoration:none}.fa.icon-blue{color:blue}.progress-bar-animated{width:100%}
+html,body{height:100%;background:radial-gradient(circle at 50% 0,#fff 0,#ddd 100%) no-repeat scroll 0 0 #ddd}#wrap{min-height:100%;height:auto;margin:0 auto -80px;padding:20px 0 80px}#footer{height:80px;background-color:#fff;background-color:rgba(255,255,255,0.9);text-align:center;padding-top:10px;overflow:hidden}#header img{background-color:#fff;background-color:rgba(255,255,255,0.8);margin-bottom:20px}.card,.navbar-light{background-color:#fff;background-color:rgba(255,255,255,0.9);background-image:none}.login,.password{text-align:center;padding:20px}div.form{margin:0 auto;max-width:330px}div.actions{margin:10px 0 0 0}div.actions a{margin-top:10px}.buttons{text-align:center;margin:10px 0 0 0;cursor:pointer}.btn{white-space:normal}.btn span.fa{padding-right:8px}li.ui-state-active{background-color:#fafafa;background-color:rgba(250,250,250,0.9)}#appslist,#password,#loginHistory,#logout,#oidcConsents{margin-top:20px}div.category{margin:10px 0;cursor:grab}div.application{margin:5px 0;overflow:hidden}div.application a,div.application a:hover{text-decoration:none}p.notifCheck label{margin-left:5px;margin-top:3px;display:inline-block}img.langicon{cursor:pointer}button.idploop{max-width:300px}button.idploop img{max-height:30px}div.oidc_consent_message>ul{text-align:left;list-style:circle}@media(min-width:768px){div.application{height:80px}div.application h4.appname{margin:0}#wrap{margin:0 auto -60px}#footer{height:60px}}.hiddenFrame{border:0;display:hidden;margin:0}.noborder{border:0}.max{width:100%}.link{cursor:pointer}.nodecor:hover,.nodecor:active.nodecor:focus{text-decoration:none}.fa.icon-blue{color:blue}.progress-bar-animated{width:100%}input.key{font-family:'password';width:100px}@font-face{font-family:'password';src:url(/static/common/fonts/password.ttf)}

lemonldap-ng-portal/site/htdocs/static/languages/ar.json

@@ -83,6 +83,7 @@
 "PE91":"Access not granted on OID service",
 "PE92":"Access not granted on GET service",
 "PE93":"Access not granted on IMPERSONATION service",
+"PE94":"A required attribute is not available",
 "2fRegRequired":"This service requires a double factor authentication. Register a device now, then go back to the portal.",
 "accept":"قبول",
 "accessDenied":"ليس لديك إذن بالدخول لهذا التطبيق",
@@ -192,6 +193,11 @@
 "openSSOSession":"افتح جلسة الدخول الموحد (سسو)",
 "otherSessions":"جلسات نشطة أخرى",
 "password":"كلمة المرور",
+"passwordPolicy":"Please respect the following policy:",
+"passwordPolicyMinSize":"Minimal size:",
+"passwordPolicyMinLower":"Minimal lower characters:",
+"passwordPolicyMinUpper":"Minimal upper characters:",
+"passwordPolicyMinDigit":"Minimal digit characters:",
 "ppGrace":"المصادقات المتبقية، غير كلمة المرور الخاصة بك!",
 "proxyError":"بوابة سيئة: غير قادر على الانضمام لالخادم البعيد",
 "pwdChange":"تغيير كلمة المرور",

lemonldap-ng-portal/site/htdocs/static/languages/de.json

@@ -83,6 +83,7 @@
 "PE91":"Zugang zum OID-Service nicht genehmigt",
 "PE92":"Zugang zum GET-Service nicht genehmigt",
 "PE93":"Access not granted on IMPERSONATION service",
+"PE94":"A required attribute is not available",
 "2fRegRequired":"Dieser Dienst benötigt Zwei-Faktor-Authentifizierung. Bitte legen Sie ein Gerät an und gehen dann zum Portal zurück.",
 "accept":"Akzeptieren",
 "accessDenied":"Sie haben keine Zugriffsberechtigung für diese Anwendung",
@@ -192,6 +193,11 @@
 "openSSOSession":"Eine SSO Sitzung öffnen",
 "otherSessions":"Andere aktive Sitzungen",
 "password":"Passwort",
+"passwordPolicy":"Please respect the following policy:",
+"passwordPolicyMinSize":"Minimal size:",
+"passwordPolicyMinLower":"Minimal lower characters:",
+"passwordPolicyMinUpper":"Minimal upper characters:",
+"passwordPolicyMinDigit":"Minimal digit characters:",
 "ppGrace":"verbleibende Authentifizierungen, bitte Passwort ändern !",
 "proxyError":"Bad gateway: Der Remote-Server kann nicht verbunden werden",
 "pwdChange":"Passwortänderung",

lemonldap-ng-portal/site/htdocs/static/languages/en.json

@@ -83,6 +83,7 @@
 "PE91":"Access not granted on OID service",
 "PE92":"Access not granted on GET service",
 "PE93":"Access not granted on IMPERSONATION service",
+"PE94":"A required attribute is not available",
 "2fRegRequired":"This service requires a double factor authentication. Register a device now, then go back to the portal.",
 "accept":"Accept",
 "accessDenied":"You have no access authorization for this application",
@@ -192,6 +193,11 @@
 "openSSOSession":"Open your SSO session",
 "otherSessions":"Other active sessions",
 "password": "Password",
+"passwordPolicy": "Please respect the following policy:",
+"passwordPolicyMinSize": "Minimal size:",
+"passwordPolicyMinLower": "Minimal lower characters:",
+"passwordPolicyMinUpper": "Minimal upper characters:",
+"passwordPolicyMinDigit": "Minimal digit characters:",
 "ppGrace": "authentications remaining, change your password!",
 "proxyError": "Bad gateway: unable to join remote server",
 "pwdChange":"Password change",

lemonldap-ng-portal/site/htdocs/static/languages/es.json

@@ -20,13 +20,13 @@
 "PE26":"Modificación de contraseña no autorizada",
 "PE27":"Para modificarla, introduzca la antigua contraseña",
 "PE28":"Calidad de contraseña insuficiente",
-"PE29":"Contraseña demasiado corta",
+"PE29":"Contraseña muy corta",
-"PE30":"Contraseña demasiado reciente",
+"PE30":"Contraseña muy reciente",
-"PE31":"Contraseña utilizada demasiado recientemente",
+"PE31":"Contraseña utilizada muy recientemente",
 "PE32":" autenticaciones restantes, cambie de contraseña",
-"PE33":"cambie su contraseña antes de %d días, %d horas, %d minutos y %d segundos antes de su expiración",
+"PE33":"Faltan %d días, %d horas, %d minutos y %d segundos para que su contraseña expire.",
 "PE34":"Las contraseñas no coinciden",
-"PE36":"Tiene un nuevo mensaje",
+"PE36":"Tiene un mensaje nuevo",
 "PE37":"URL incorrecta",
 "PE38":"Ningún esquema disponible",
 "PE39":"Antigua contraseña inválida",
@@ -41,7 +41,7 @@
 "PE49":"No se puede cargar el servicio SAML",
 "PE50":"Problema al cargar un proveedor de identidad",
 "PE51":"Error de autenticación SAML",
-"PE52":"Colaborador SAML no reconocido",
+"PE52":"Colaborador SAML desconocido",
 "PE53":"Dirección de destino SAML incorrecta",
 "PE54":"Las condiciones del mensaje SAML no se respetan",
 "PE55":"La autenticación iniciada por el proveedor de identidad no está autorizada",
@@ -49,179 +49,185 @@
 "PE57":"Error de gestión de la firma del mensaje SAML",
 "PE58":"Error de utilización de un artefacto SAML",
 "PE59":"Error de comunicación con las sesiones SAML",
-"PE60":"Problema al cargar un proveedor de servicio",
+"PE60":"Problema al cargar un proveedor de servicios",
 "PE61":"Error de intercambio de atributos SAML",
 "PE62":"Página destinada a los servidores OpenID",
 "PE63":"La identidad OpenID que quiere utilizar no le pertenece",
 "PE64":"Un atributo exigido no está disponible",
 "PE65":"Agrupación prohibida por la política de seguridad",
 "PE66":"E-mail de confirmación ya enviado",
-"PE67":"Contraseña no registrada",
+"PE67":"Contraseña no ingresada",
 "PE68":"Acceso no autorizado al servicio CAS",
 "PE69":"Introduzca su dirección e-mail",
-"PE70":"Sin usuario correspondiente",
+"PE70":"Ningún usuario coincide",
 "PE71":"Introduzca su nueva contraseña",
 "PE72":"Ha recibido un e-mail de confirmación",
 "PE73":"La conexión al servidor Radius ha fracasado",
-"PE74":"La antigua contraseña es obligatoria",
+"PE74":"La contraseña antigua es obligatoria",
-"PE75":"Dirección IP no acreditada",
+"PE75":"Usted vino de una dirección IP no acreditada",
 "PE76":"Error al registrar el captcha",
 "PE77":"Introduzca el captcha",
 "PE78":"Introduzca sus datos",
 "PE79":"Faltan datos",
-"PE80":"Esta dirección ya está utilizada",
+"PE80":"Esta dirección ya está siendo utilizada",
-"PE81":"Invalid authentication attempt",
+"PE81":"Intento de autenticación inválido",
-"PE82":"Exceeded authentication timeout",
+"PE82":"Tiempo de espera de autenticación exedido",
-"PE83":"U2F verification failed. Retry or contact your administrator",
+"PE83":"La verificación U2F ha fallado. Reintente o contacte su administrador",
-"PE84":"You're not authorized to access to this host",
+"PE84":"Usted no está autorizado a acceder a este servidor",
-"PE85":"The remote site ask for a newer session (and UpgradeSession plugin isn't loaded). Logout and retry",
+"PE85":"El sitio remoto pide una nueva sesión (y el plugin UpgradeSession no está cargado). Desconéctese y reintente",
-"PE86":"Your account is locked. You must wait 30s before authenticate again",
+"PE86":"Su cuenta está bloqueada. Espere 30s antes de autenticarse de nuevo",
-"PE87":"You must authenticate again to access to Portal",
+"PE87":"Debe autenticarse de nuevo para acceder al Portal",
-"PE88":"Your account must have an e-mail address in order to use double factor authentication",
+"PE88":"Su cuenta debe contar con una dirección de e-mail para poder utilizar la autenticación de dos factores",
 "PE89":"Acceso no autorizado al servicio SAML",
 "PE90":"Acceso no autorizado al servicio OIDC",
 "PE91":"Acceso no autorizado al servicio OID",
 "PE92":"Acceso no autorizado al servicio GET",
-"PE93":"Access not granted on IMPERSONATION service",
+"PE93":"Acceso no concedido al servicio de SUPLANTACIÓN",
-"2fRegRequired":"This service requires a double factor authentication. Register a device now, then go back to the portal.",
+"PE94":"A required attribute is not available",
-"accept":"Accept",
+"2fRegRequired":"Este servicio necesita la autenticación de dos factores. Registre un dispositivo ahora, luego reingrese al portal.",
-"accessDenied":"You have no access authorization for this application",
+"accept":"Aceptar",
-"accountCreated":"Your account has been created, your temporary password has been sent to your mail address.",
+"accessDenied":"No está autorizado a acceder a esta aplicación",
-"accountCreationSuccess":"Your account was successfully created.",
+"accountCreated":"Su cuenta ha sido creada, su contraseña temporal ha sido enviada a su dirección de e-mail.",
-"action":"Action",
+"accountCreationSuccess":"Su cuenta fue creada con éxito.",
-"allowed":"Access ALLOWED",
+"action":"Acción",
-"anotherInformation":"Another information:",
+"allowed":"Acceso PERMITIDO",
-"areYouSure":"Are you sure?",
+"anotherInformation":"Otra información:",
-"askToRenew":"This application needs a more recent authentication. Do you want to reauthenticate?",
+"areYouSure":"¿Está seguro?",
-"askToUpgrade":"This application needs an higher authentication level. Do you want to reauthenticate?",
+"askToRenew":"Esta aplicación necesita una autenticación más reciente. ¿Desea reautenticar?",
-"attributes":"ATTRIBUTES",
+"askToUpgrade":"Esta aplicación requiere de un nivel de autenticación más alto. ¿Desea reautenticar?",
-"authPortal":"Authentication portal",
+"attributes":"ATRIBUTOS",
+"authPortal":"Portal de autenticación",
 "authRemaining":"%s authentications remaining, change your password!",
-"autoAccept":"Automatically accept in 30 seconds",
+"autoAccept":"Aceptar automáticamente en 30 segundos ",
 "back2CasUrl":"The application you just logged out of has provided a link it would like you to follow",
-"back2Portal":"Go back to portal",
+"back2Portal":"Volver al portal",
-"badCode":"Bad code",
+"badCode":"Código incorrecto",
-"badName":"Bad name",
+"badName":"Nombre incorrecto",
-"cancel":"Cancel",
+"cancel":"Cancelar",
 "captcha":"Captcha",
-"changeKey":"Generate new key",
+"changeKey":"Generar nueva llave",
-"changePwd":"Change your password",
+"changePwd":"Cambie su contraseña",
-"checkLastLogins":"Check my last logins",
+"checkLastLogins":"Verificar mis últimos accesos",
-"checkUser":"Check user SSO profile",
+"checkUser":"Verificar el perfil SSO del usuario ",
 "checkUserMerged":"Check user SSO profile. Some Real and Spoofed SSO groups are merged!",
 "checkUserComputeSession":"Computed session data!",
-"choose2f":"Choose your second factor",
+"choose2f":"Seleccione su segundo factor",
 "chooseApp":"Choose an application your are allowed to access to",
-"clickHere":"Please click here",
+"clickHere":"Por favor haga clic aquí",
-"clickOnYubikey":"Click on your Yubikey",
+"clickOnYubikey":"Haga clic en su Yubikey",
-"closeSSO":"Close your SSO session",
+"closeSSO":"Cierre su sesión SSO",
-"code":"Code",
+"code":"Código",
-"confirmation":"Confirmation",
+"confirmation":"Confirmación",
-"confirmLinkSent":"A confirmation link has been sent. This link is valid until ",
+"confirmLinkSent":"Un enlace de confirmación ha sido enviado. Este enlace es válido hasta",
-"confirmPwd":"Confirm password",
+"confirmPwd":"Confirmar contraseña",
-"connect":"Connect",
+"connect":"Conectar",
-"connectedAs":"Connected as",
+"connectedAs":"Conectado como ",
-"continue":"Continue",
+"continue":"Continuar",
-"createAccount":"Create an account",
+"createAccount":"Crear una cuenta",
-"currentPwd":"Current password",
+"currentPwd":"Contraseña actual",
-"date":"Date",
+"date":"Fecha",
-"enterCred":"Please enter your credentials",
+"enterCred":"Por favor ingrese sus credenciales",
-"enterExt2fCode":"A code has been sent to you. Please enter it",
+"enterExt2fCode":"Un código le ha sido enviado. Por favor ingréselo ",
-"enterMail2fCode":"A code has been sent to your email address. Please enter it",
+"enterMail2fCode":"Un código le ha sido enviado a dirección de e-mail. Por favor ingréselo",
 "enterOpenIDLogin":"Please enter your OpenID login",
-"enterRadius2fCode":"Please enter your OTP code",
+"enterRadius2fCode":"Por favor ingrese su código OTP",
-"enterRest2fCode":"Please enter your OTP code",
+"enterRest2fCode":"Por favor ingrese su código OTP",
-"enterTotpCode":"Enter TOTP code",
+"enterTotpCode":"Ingrese el código TOTP",
-"enterYubikey":"Please use your Yubikey",
+"enterYubikey":"Por favor utilice su Yubikey",
-"errorMsg":"Error Message",
+"errorMsg":"Mensaje de Error",
 "expired2Fremoved":"%s expired 2F devices have been removed!",
-"ext2f":"Verification code",
+"ext2f":"Código de verificación",
-"fillTheForm":"Fill the form",
+"fillTheForm":"Llene el formulario",
-"firstName":"First name",
+"firstName":"Nombre",
-"forbidden":"Access FORBIDDEN",
+"forbidden":"Acceso DENEGADO",
-"forgotPwd":"Forgot your password?",
+"forgotPwd":"Contraseña olvidada?",
-"generatePwd":"Generate the password automatically",
+"generatePwd":"Generar la contraseña automáticamente",
-"gotNewMessages":"You have some new messages",
+"gotNewMessages":"Tiene mensajes nuevos",
-"goToPortal":"Go to portal",
+"goToPortal":"Ir al portal",
-"gplSoft":"free software covered by the GPL license",
+"gplSoft":"Software libre cubierto bajo licencia GPL",
-"groups_sso":"SSO GROUPS",
+"groups_sso":"GRUPOS SSO",
 "headers":"HEADERS",
 "id":"Id",
-"contextSwitching_ON":"Impersonate another user",
+"contextSwitching_ON":"Suplantar otro usuario",
-"contextSwitching_OFF":"Stop impersonation",
+"contextSwitching_OFF":"Parar suplantación",
-"imSure":"I'm sure",
+"imSure":"Estoy seguro",
-"info":"Information",
+"info":"Información",
-"ipAddr":"IP address",
+"ipAddr":"Dirección IP",
-"key":"Key",
+"key":"Llave",
-"lastFailedLogins":"Last failed logins",
+"lastFailedLogins":"Últimas conexiones fallidas",
-"lastLogins":"Last logins",
+"lastLogins":"Últimas conexiones",
-"lastName":"Last name",
+"lastName":"Apellido(s)",
-"linkValidUntil":"This message contains a link to reset your password, this link is valid until ",
+"linkValidUntil":"Este mensaje contiene un enlace para reiniciar su contraseña, este enlace es válido hasta",
-"loginHistory":"Login history",
+"loginHistory":"Historial de conexión",
-"login":"Login",
+"login":"Conexión",
-"logout":"Logout",
+"logout":"Desconexión ",
-"logoutConfirm":"Do you want to logout?",
+"logoutConfirm":"¿Desea desconectarse?",
 "logoutFromOtherApp":"Logout from other applications ...",
-"logoutFromSP":"Logout from service providers ...",
+"logoutFromSP":"Desconectando proveedor de servicios...",
 "macros":"MACROS",
-"mail":"Mail",
+"mail":"E-mail",
-"mail2f":"Email code",
+"mail2f":"Código de e-mail",
-"mailSent2":"A message has been sent to your mail address.",
+"mailSent2":"Un mensaje ha sido enviado a su dirección de e-mail",
-"maintenanceMode":"This application is in maintenance, please try to connect later",
+"maintenanceMode":"Aplicación en mantenimiento, por favor intente conectarse luego",
 "maxNumberof2FDevicesReached":"Maximum number of 2F devices reached!",
-"missingCode":"Code is missing",
+"missingCode":"Código faltante",
-"name":"Name",
+"name":"Nombre",
-"newMessages":"New message(s)",
+"newMessages":"Nuevo(s) mensaje(s)",
-"newPassword":"New password",
+"newPassword":"Contraseña nueva",
-"newPwdSentTo":"A confirmation has been sent to your mail address.",
+"newPwdSentTo":"Una confirmación ha sido enviada a su dirección de e-mail.",
-"noHistory":"This is your first connection, welcome!",
+"noHistory":"Esta es su primera conexión, bienvenido.",
-"notAuthorized":"You're not authorized to do this",
+"notAuthorized":"Usted no está autorizado a hacer esto",
 "notFound":"Not found: you try to access to an unavailable page",
-"noTOTPFound":"No TOTP found",
+"noTOTPFound":"TOTP no encontrado",
-"noU2FKeyFound":"No U2F key found",
+"noU2FKeyFound":"Llave U2F no encontrada",
 "oidcConsent":"The application %s would like to know:",
 "oidcConsents":"OIDC consents",
 "oidcConsentsFull":"OpenID Connect consents",
 "oneExpired2Fremoved":"An expired 2F device has been removed!",
 "openidAp":"Do you agree to provide the following parameters?",
-"openIdExample":"for example:http://myopenid.org/toto",
+"openIdExample":"por ejemplo:http://myopenid.org/juan",
 "openidExchange":"Do you want to authenticate yourself on %s ?",
 "openidPA":"Data usage policy is available at",
 "openidRpns":"Parameter %s requested for federation isn't available",
-"openSessionSpace":"This space allow you to open a SSO session. This will help you to securely access to all applications authorized by your profile.",
+"openSessionSpace":"Este espacio le permite abrir una sesión SSO. Esto le ayudará a acceder de manera segura a todas las aplicaciones autorizadas por su perfil.",
-"openSSOSession":"Open your SSO session",
+"openSSOSession":"Abra su sesión SSO",
-"otherSessions":"Other active sessions",
+"otherSessions":"Otras sesiones activas",
-"password":"Password",
+"password":"Contraseña",
-"ppGrace":"authentications remaining, change your password!",
+"passwordPolicy":"Please respect the following policy:",
+"passwordPolicyMinSize":"Minimal size:",
+"passwordPolicyMinLower":"Minimal lower characters:",
+"passwordPolicyMinUpper":"Minimal upper characters:",
+"passwordPolicyMinDigit":"Minimal digit characters:",
+"ppGrace":"autenticaciones restantes, ¡cambie su contraseña!.",
 "proxyError":"Bad gateway: unable to join remote server",
-"pwdChange":"Password change",
+"pwdChange":"Cambio de contraseña",
-"pwd":"Password",
+"pwd":"Contraseña",
 "pwdResetAlreadyIssued":"A password reset request was already issued on ",
 "pwdWillExpire":"%s days, %s hours, %s minutes and %s seconds before password expiration, change it!",
 "radius2f":"Radius",
-"redirectedFrom":"You were redirect from ",
+"redirectedFrom":"Ha sido redirigido desde",
-"redirectedIn":"You'll be redirected in 30 seconds",
+"redirectedIn":"Usted será redirigido en 30 segundos",
-"redirectionInProgress":"Redirection in progress...",
+"redirectionInProgress":"Redirigiendo...",
-"redirectionToIdp":"Redirection to your Identity Provider",
+"redirectionToIdp":"Redirigiendo hacia su proveedor de identidad",
-"refreshrights":"Refresh my rights",
+"refreshrights":"Actualizar mis derechos",
-"refuse":"Refuse",
+"refuse":"Rechazar",
-"register":"Register",
+"register":"Registrar",
 "registerRequestAlreadyIssued":"A register request for this account was already issued on ",
-"rememberChoice":"Remember my choice",
+"rememberChoice":"Recordar mi elección",
 "removeOtherSessions":"Remove other sessions",
 "resendConfirmMail":"Resend confirmation mail?",
 "resentConfirm":"Do you want the confirmation mail to be resent?",
 "resetFavApps":"Reset my favorite Apps.",
-"resetPwd":"Reset my password",
+"resetPwd":"Reiniciar mi contraseña",
-"rest2f":"Verification code",
+"rest2f":"Código de verificación",
-"rightsReloadNeedsLogout":"Rights reloads need to logout and login again",
+"rightsReloadNeedsLogout":"La recarga de derechos necesita desconectarse y conectarse de nuevo",
 "scope":"Scope",
-"search":"Search",
+"search":"Buscar",
-"selectIdP":"Select your Identity Provider",
+"selectIdP":"Seleccione su proveedor de identidad",
-"service":"Service",
+"service":"Servicio",
-"sendPwd":"Send me a link",
+"sendPwd":"Enviarme un enlace",
 "serverError":"Error occurs on the server",
-"serviceProvidedBy":"Service provided by",
+"serviceProvidedBy":"Servicio proveído por",
 "sessionsDeleted":"The following sessions have been closed",
 "sfaManager":"2ndFA Manager",
 "spoofId":"Spoofed Id",
@@ -239,34 +245,34 @@
 "u2fPermission":"You may be prompted to allow the site permission to access your security keys. After granting permission, the device will start to blink.",
 "u2fWelcome":"U2F device management",
 "unableToGetKey":"Unable to access to your key. Retry or contact your administrator",
-"unknownAction":"Unknown action",
+"unknownAction":"Acción desconocida",
 "unregister":"Unregister",
 "updateCdc":"Update Common Domain Cookie",
 "upgradeSession":"Upgrade session",
-"user":"User",
+"user":"Usuario",
 "useYubikey":"use your Yubikey",
 "utotp2f":"TOTP-or-U2F",
-"value":"Value",
+"value":"Valor",
-"verify":"Verify",
+"verify":"Verificar",
-"VHnotFound":"Virtual Host not found",
+"VHnotFound":"Virtual Host no encontrado",
-"wait":"Wait",
+"wait":"Esperar",
 "waitingmessage":"Authentication in progress, please wait",
-"warning":"Warning",
+"warning":"Precaución",
 "welcomeOnPortal":"Welcome on your secured authentication portal.",
 "yesResendMail":"Yes, resend the mail",
-"yourAddress":"Your address",
+"yourAddress":"Su dirección",
-"yourApps":"Your applications",
+"yourApps":"Sus aplicaciones",
-"yourEmail":"Your email",
+"yourEmail":"Su e-mail",
 "yourFavApps":"Favorite applications",
-"yourIdentity":"Your identity",
+"yourIdentity":"Su identidad",
-"yourIdentityIs":"Your identity is",
+"yourIdentityIs":"Su identidad es",
-"yourKeyIsRegistered":"Your key is registered",
+"yourKeyIsRegistered":"Su llave está registrada",
-"yourKeyIsAlreadyRegistered":"Your key is ALREADY registered!",
+"yourKeyIsAlreadyRegistered":"¡Su llave YA FUE registrada!",
 "yourKeyIsUnregistered":"Your key has been unregistered",
-"yourKeyIsVerified":"Your key is verified",
+"yourKeyIsVerified":"Su llave está verificada",
 "yourNewTotpKey":"Your new TOTP key, please test it and enter the code",
 "yourPhone":"Your phone number",
 "yourProfile":"Your profile",
 "yourTotpKey":"Your TOTP key",
 "yubikey2f":"Yubikey"
-}
+}

lemonldap-ng-portal/site/htdocs/static/languages/fi.json

@@ -83,6 +83,7 @@
 "PE91":"Access not granted on OID service",
 "PE92":"Access not granted on GET service",
 "PE93":"Access not granted on IMPERSONATION service",
+"PE94":"A required attribute is not available",
 "2fRegRequired":"This service requires a double factor authentication. Register a device now, then go back to the portal.",
 "accept":"Hyväksy",
 "accessDenied":"Sinulla ei ole käyttöoikeutta tähän sovellukseen",
@@ -192,6 +193,11 @@
 "openSSOSession":"Open your SSO session",
 "otherSessions":"Other active sessions",
 "password":"Salasana",
+"passwordPolicy":"Please respect the following policy:",
+"passwordPolicyMinSize":"Minimal size:",
+"passwordPolicyMinLower":"Minimal lower characters:",
+"passwordPolicyMinUpper":"Minimal upper characters:",
+"passwordPolicyMinDigit":"Minimal digit characters:",
 "ppGrace":"authentications remaining, change your password!",
 "proxyError":"Bad gateway: unable to join remote server",
 "pwdChange":"Password change",

lemonldap-ng-portal/site/htdocs/static/languages/fr.json

@@ -83,6 +83,7 @@
 "PE91":"Accès non autorisé au service OID",
 "PE92":"Accès non autorisé au service GET",
 "PE93":"Accès non autorisé au service d'Usurpation d'Identité",
+"PE94":"Un attribut exigé n'est pas disponible",
 "2fRegRequired":"Ce service requiert une authentification à deux facteurs. Enregistrez un équipement ici et retournez au portail.",
 "accept":"Accepter",
 "accessDenied":"Vous n'avez pas les droits d'accès à cette application",
@@ -192,6 +193,11 @@
 "openSSOSession":"Ouvrir une session SSO",
 "otherSessions":"Autres sessions ouvertes",
 "password": "Mot-de-passe",
+"passwordPolicy": "Merci de respecter la politique suivante :",
+"passwordPolicyMinSize": "Taille minimale :",
+"passwordPolicyMinLower": "Minimum de minuscules :",
+"passwordPolicyMinUpper": "Minimum de majuscules :",
+"passwordPolicyMinDigit": "Minimum de chiffres :",
 "ppGrace": "authentifications restantes, changez votre mot de passe !",
 "proxyError": "Mauvaise passerelle : impossible de joindre le serveur amont",
 "pwdChange":"Changement de mot de passe",

lemonldap-ng-portal/site/htdocs/static/languages/it.json

@@ -83,6 +83,7 @@
 "PE91":"Accesso non concesso sul servizio OID",
 "PE92":"Accesso non concesso sul servizio GET",
 "PE93":"Accesso non concesso sul servizio IMPERSONATION",
+"PE94":"A required attribute is not available",
 "2fRegRequired":"Questo servizio richiede un'autenticazione a doppio fattore. Registrare un dispositivo ora, quindi tornare al portale.",
 "accept":"Accetta",
 "accessDenied":"Non hai un'autorizzazione di accesso per questa applicazione",
@@ -192,6 +193,11 @@
 "openSSOSession":"Apri la sessione SSO",
 "otherSessions":"Altre sessioni attive",
 "password":"Password",
+"passwordPolicy":"Please respect the following policy:",
+"passwordPolicyMinSize":"Minimal size:",
+"passwordPolicyMinLower":"Minimal lower characters:",
+"passwordPolicyMinUpper":"Minimal upper characters:",
+"passwordPolicyMinDigit":"Minimal digit characters:",
 "ppGrace":"autenticazioni restanti, modifica la tua password!",
 "proxyError":"Gateway errata: impossibile associarsi a un server remoto",
 "pwdChange":"Cambio password",

lemonldap-ng-portal/site/htdocs/static/languages/nl.json

@@ -83,6 +83,7 @@
 "PE91":"Onbevoegde toegang tot de OID-service",
 "PE92":"Onbevoegde toegang tot de GET-service",
 "PE93":"Access not granted on IMPERSONATION service",
+"PE94":"A required attribute is not available",
 "2fRegRequired":"This service requires a double factor authentication. Register a device now, then go back to the portal.",
 "accept":"Accept",
 "accessDenied":"You have no access authorization for this application",
@@ -192,6 +193,11 @@
 "openSSOSession":"Open your SSO session",
 "otherSessions":"Other active sessions",
 "password":"Password",
+"passwordPolicy":"Please respect the following policy:",
+"passwordPolicyMinSize":"Minimal size:",
+"passwordPolicyMinLower":"Minimal lower characters:",
+"passwordPolicyMinUpper":"Minimal upper characters:",
+"passwordPolicyMinDigit":"Minimal digit characters:",
 "ppGrace":"authentications remaining, change your password!",
 "proxyError":"Bad gateway: unable to join remote server",
 "pwdChange":"Password change",

lemonldap-ng-portal/site/htdocs/static/languages/pt.json

@@ -83,6 +83,7 @@
 "PE91":"Acesso não autorizado ao serviço OID",
 "PE92":"Acesso não autorizado ao serviço GET",
 "PE93":"Access not granted on IMPERSONATION service",
+"PE94":"Um atributo exigido não está disponível",
 "2fRegRequired":"This service requires a double factor authentication. Register a device now, then go back to the portal.",
 "accept":"Accept",
 "accessDenied":"You have no access authorization for this application",
@@ -192,6 +193,11 @@
 "openSSOSession":"Open your SSO session",
 "otherSessions":"Other active sessions",
 "password":"Password",
+"passwordPolicy":"Please respect the following policy:",
+"passwordPolicyMinSize":"Minimal size:",
+"passwordPolicyMinLower":"Minimal lower characters:",
+"passwordPolicyMinUpper":"Minimal upper characters:",
+"passwordPolicyMinDigit":"Minimal digit characters:",
 "ppGrace":"authentications remaining, change your password!",
 "proxyError":"Bad gateway: unable to join remote server",
 "pwdChange":"Password change",

lemonldap-ng-portal/site/htdocs/static/languages/ro.json

@@ -83,6 +83,7 @@
 "PE91":"Access not granted on OID service",
 "PE92":"Access not granted on GET service",
 "PE93":"Access not granted on IMPERSONATION service",
+"PE94":"A required attribute is not available",
 "2fRegRequired":"This service requires a double factor authentication. Register a device now, then go back to the portal.",
 "accept":"Accept",
 "accessDenied":"You have no access authorization for this application",
@@ -192,6 +193,11 @@
 "openSSOSession":"Open your SSO session",
 "otherSessions":"Other active sessions",
 "password":"Password",
+"passwordPolicy":"Please respect the following policy:",
+"passwordPolicyMinSize":"Minimal size:",
+"passwordPolicyMinLower":"Minimal lower characters:",
+"passwordPolicyMinUpper":"Minimal upper characters:",
+"passwordPolicyMinDigit":"Minimal digit characters:",
 "ppGrace":"authentications remaining, change your password!",
 "proxyError":"Bad gateway: unable to join remote server",
 "pwdChange":"Password change",

lemonldap-ng-portal/site/htdocs/static/languages/vi.json

@@ -83,6 +83,7 @@
 "PE91":"Truy cập không được cấp trên dịch vụ OID",
 "PE92":"Truy cập không được cấp trên dịch vụ GET",
 "PE93":"Access not granted on IMPERSONATION service",
+"PE94":"Một thuộc tính bắt buộc không có sẵn",
 "2fRegRequired":"This service requires a double factor authentication. Register a device now, then go back to the portal.",
 "accept":"Chấp nhận",
 "accessDenied":"Bạn không có quyền truy cập vào ứng dụng này",
@@ -192,6 +193,11 @@
 "openSSOSession":"Mở phiên SSO của bạn",
 "otherSessions":"Các phiên hoạt động khác",
 "password":"Mật khẩu",
+"passwordPolicy":"Please respect the following policy:",
+"passwordPolicyMinSize":"Minimal size:",
+"passwordPolicyMinLower":"Minimal lower characters:",
+"passwordPolicyMinUpper":"Minimal upper characters:",
+"passwordPolicyMinDigit":"Minimal digit characters:",
 "ppGrace":"chứng thực vẫn còn, thay đổi mật khẩu của bạn!",
 "proxyError":"Gateway không chính xác: không thể kết nối máy chủ từ xa",
 "pwdChange":"Thay đổi mật khẩu",

lemonldap-ng-portal/site/htdocs/static/languages/zh.json

@@ -83,6 +83,7 @@
 "PE91":"Access not granted on OID service",
 "PE92":"Access not granted on GET service",
 "PE93":"Access not granted on IMPERSONATION service",
+"PE94":"A required attribute is not available",
 "2fRegRequired":"This service requires a double factor authentication. Register a device now, then go back to the portal.",
 "accept":"Accept 方法",
 "accessDenied":"您无权访问此应用",
@@ -192,6 +193,11 @@
 "openSSOSession":"Open your SSO session",
 "otherSessions":"Other active sessions",
 "password":"密码",
+"passwordPolicy":"Please respect the following policy:",
+"passwordPolicyMinSize":"Minimal size:",
+"passwordPolicyMinLower":"Minimal lower characters:",
+"passwordPolicyMinUpper":"Minimal upper characters:",
+"passwordPolicyMinDigit":"Minimal digit characters:",
 "ppGrace":"authentications remaining, change your password!",
 "proxyError":"错误的网关：无法连接远程服务器",
 "pwdChange":"更改密码",

lemonldap-ng-portal/site/templates/bootstrap/mail.tpl

@@ -129,6 +129,8 @@
 
         <h3 trspan="changePwd">Change your password</h3>
 
+        <TMPL_IF NAME="DISPLAY_PPOLICY"><TMPL_INCLUDE NAME="passwordpolicy.tpl"></TMPL_IF>
+
         <div class="input-group mb-3">
           <div class="input-group-prepend">
             <span class="input-group-text"><i class="fa fa-lock"></i> </span>

lemonldap-ng-portal/site/templates/bootstrap/password.tpl

@@ -40,6 +40,8 @@
 
     </TMPL_IF>
 
+    <TMPL_IF NAME="DISPLAY_PPOLICY"><TMPL_INCLUDE NAME="passwordpolicy.tpl"></TMPL_IF>
+
     <div class="input-group mb-3">
       <div class="input-group-prepend">
         <span class="input-group-text"><i class="fa fa-lock"></i></span>

lemonldap-ng-portal/site/templates/bootstrap/passwordpolicy.tpl

@@ -0,0 +1,17 @@
+<div class="alert alert-info text-left mb-3 ppolicy">
+  <span trspan="passwordPolicy">Please respect the following password policy:</span>
+  <ul>
+    <TMPL_IF NAME="PPOLICY_MINSIZE">
+    <li><span trspan="passwordPolicyMinSize">Minimal size:</span> <TMPL_VAR NAME="PPOLICY_MINSIZE"></li>
+    </TMPL_IF>
+    <TMPL_IF NAME="PPOLICY_MINLOWER">
+    <li><span trspan="passwordPolicyMinLower">Minimal lower characters:</span> <TMPL_VAR NAME="PPOLICY_MINLOWER"></li>
+    </TMPL_IF>
+    <TMPL_IF NAME="PPOLICY_MINUPPER">
+    <li><span trspan="passwordPolicyMinUpper">Minimal upper characters:</span> <TMPL_VAR NAME="PPOLICY_MINUPPER"></li>
+    </TMPL_IF>
+    <TMPL_IF NAME="PPOLICY_MINDIGIT">
+    <li><span trspan="passwordPolicyMinDigit">Minimal digit characters:</span> <TMPL_VAR NAME="PPOLICY_MINUPPER"></li>
+    </TMPL_IF>
+  </ul>
+</div>

lemonldap-ng-portal/site/templates/bootstrap/standardform.tpl

@@ -17,7 +17,11 @@
     <div class="input-group-prepend">
       <span class="input-group-text"><i class="fa fa-lock"></i> </span>
     </div>
-    <input name="password" type="password" class="form-control" trplaceholder="password" required aria-required="true"/>
+    <TMPL_IF NAME="DONT_STORE_PASSWORD">
+      <input name="password" type="text" class="form-control key" trplaceholder="password" autocomplete="off" required aria-required="true"/>
+    <TMPL_ELSE>
+      <input name="password" type="password" class="form-control" trplaceholder="password" required aria-required="true"/>
+    </TMPL_IF>
   </div>
 
   <TMPL_IF NAME=CAPTCHA_SRC>

lemonldap-ng-portal/t/32-OIDC-Token-Security.t

@@ -15,72 +15,72 @@ my $debug = 'error';
 
 # Initialization
 my $op = LLNG::Manager::Test->new( {
-            ini => {
+        ini => {
-                logLevel                        => $debug,
+            logLevel                        => $debug,
-                domain                          => 'idp.com',
+            domain                          => 'idp.com',
-                portal                          => 'http://auth.op.com',
+            portal                          => 'http://auth.op.com',
-                authentication                  => 'Demo',
+            authentication                  => 'Demo',
-                userDB                          => 'Same',
+            userDB                          => 'Same',
-                issuerDBOpenIDConnectActivation => 1,
+            issuerDBOpenIDConnectActivation => 1,
-                issuerDBOpenIDConnectRule       => '$uid eq "french"',
+            issuerDBOpenIDConnectRule       => '$uid eq "french"',
-                oidcRPMetaDataExportedVars      => {
+            oidcRPMetaDataExportedVars      => {
-                    rp => {
+                rp => {
-                        email       => "mail",
+                    email       => "mail",
-                        family_name => "cn",
+                    family_name => "cn",
-                        name        => "cn"
+                    name        => "cn"
-                    },
-                    rp2 => {
-                        email       => "mail",
-                        family_name => "cn",
-                        name        => "cn"
-                    }
                 },
-                oidcServiceMetaDataIssuer             => "http://auth.op.com",
+                rp2 => {
-                oidcServiceMetaDataAuthorizeURI       => "authorize",
+                    email       => "mail",
-                oidcServiceMetaDataCheckSessionURI    => "checksession.html",
+                    family_name => "cn",
-                oidcServiceMetaDataJWKSURI            => "jwks",
+                    name        => "cn"
-                oidcServiceMetaDataEndSessionURI      => "logout",
+                }
-                oidcServiceMetaDataRegistrationURI    => "register",
+            },
-                oidcServiceMetaDataTokenURI           => "token",
+            oidcServiceMetaDataIssuer             => "http://auth.op.com",
-                oidcServiceMetaDataUserInfoURI        => "userinfo",
+            oidcServiceMetaDataAuthorizeURI       => "authorize",
-                oidcServiceAllowHybridFlow            => 1,
+            oidcServiceMetaDataCheckSessionURI    => "checksession.html",
-                oidcServiceAllowImplicitFlow          => 1,
+            oidcServiceMetaDataJWKSURI            => "jwks",
-                oidcServiceAllowDynamicRegistration   => 1,
+            oidcServiceMetaDataEndSessionURI      => "logout",
-                oidcServiceAllowAuthorizationCodeFlow => 1,
+            oidcServiceMetaDataRegistrationURI    => "register",
-                oidcRPMetaDataOptions                 => {
+            oidcServiceMetaDataTokenURI           => "token",
-                    rp => {
+            oidcServiceMetaDataUserInfoURI        => "userinfo",
-                        oidcRPMetaDataOptionsDisplayName       => "RP",
+            oidcServiceAllowHybridFlow            => 1,
-                        oidcRPMetaDataOptionsIDTokenExpiration => 3600,
+            oidcServiceAllowImplicitFlow          => 1,
-                        oidcRPMetaDataOptionsClientID          => "rpid",
+            oidcServiceAllowDynamicRegistration   => 1,
-                        oidcRPMetaDataOptionsIDTokenSignAlg    => "HS512",
+            oidcServiceAllowAuthorizationCodeFlow => 1,
-                        oidcRPMetaDataOptionsClientSecret      => "rpsecret",
+            oidcRPMetaDataOptions                 => {
-                        oidcRPMetaDataOptionsUserIDAttr        => "",
+                rp => {
-                        oidcRPMetaDataOptionsAccessTokenExpiration => 1,
+                    oidcRPMetaDataOptionsDisplayName           => "RP",
-                        oidcRPMetaDataOptionsBypassConsent => 1,
+                    oidcRPMetaDataOptionsIDTokenExpiration     => 3600,
-                    },
+                    oidcRPMetaDataOptionsClientID              => "rpid",
-                    rp2 => {
+                    oidcRPMetaDataOptionsIDTokenSignAlg        => "HS512",
-                        oidcRPMetaDataOptionsDisplayName       => "RP2",
+                    oidcRPMetaDataOptionsClientSecret          => "rpsecret",
-                        oidcRPMetaDataOptionsIDTokenExpiration => 3600,
+                    oidcRPMetaDataOptionsUserIDAttr            => "",
-                        oidcRPMetaDataOptionsClientID          => "rp2id",
+                    oidcRPMetaDataOptionsAccessTokenExpiration => 1,
-                        oidcRPMetaDataOptionsIDTokenSignAlg    => "HS512",
+                    oidcRPMetaDataOptionsBypassConsent         => 1,
-                        oidcRPMetaDataOptionsClientSecret      => "rp2secret",
-                        oidcRPMetaDataOptionsUserIDAttr        => "",
-                        oidcRPMetaDataOptionsAccessTokenExpiration => 1,
-                        oidcRPMetaDataOptionsBypassConsent => 1,
-                        oidcRPMetaDataOptionsRule => '$uid eq "dwho"',
-                    }
                 },
-                oidcOPMetaDataOptions           => {},
+                rp2 => {
-                oidcOPMetaDataJSON              => {},
+                    oidcRPMetaDataOptionsDisplayName           => "RP2",
-                oidcOPMetaDataJWKS              => {},
+                    oidcRPMetaDataOptionsIDTokenExpiration     => 3600,
-                oidcServiceMetaDataAuthnContext => {
+                    oidcRPMetaDataOptionsClientID              => "rp2id",
-                    'loa-4' => 4,
+                    oidcRPMetaDataOptionsIDTokenSignAlg        => "HS512",
-                    'loa-1' => 1,
+                    oidcRPMetaDataOptionsClientSecret          => "rp2secret",
-                    'loa-5' => 5,
+                    oidcRPMetaDataOptionsUserIDAttr            => "",
-                    'loa-2' => 2,
+                    oidcRPMetaDataOptionsAccessTokenExpiration => 1,
-                    'loa-3' => 3
+                    oidcRPMetaDataOptionsBypassConsent         => 1,
-                },
+                    oidcRPMetaDataOptionsRule => '$uid eq "dwho"',
-                oidcServicePrivateKeySig => "-----BEGIN RSA PRIVATE KEY-----
+                }
+            },
+            oidcOPMetaDataOptions           => {},
+            oidcOPMetaDataJSON              => {},
+            oidcOPMetaDataJWKS              => {},
+            oidcServiceMetaDataAuthnContext => {
+                'loa-4' => 4,
+                'loa-1' => 1,
+                'loa-5' => 5,
+                'loa-2' => 2,
+                'loa-3' => 3
+            },
+            oidcServicePrivateKeySig => "-----BEGIN RSA PRIVATE KEY-----
 MIIEowIBAAKCAQEAs2jsmIoFuWzMkilJaA8//5/T30cnuzX9GImXUrFR2k9EKTMt
 GMHCdKlWOl3BV+BTAU9TLz7Jzd/iJ5GJ6B8TrH1PHFmHpy8/qE/S5OhinIpIi7eb
 ABqnoVcwDdCa8ugzq8k8SWxhRNXfVIlwz4NH1caJ8lmiERFj7IvNKqEhzAk0pyDr
@@ -108,7 +108,7 @@ EYqYAev/l82wi+OZ5O8U+qjFUpT1CVeUJdDs0o5u19v0UJjunU1cwh9jsxBZAWLy
 PAGd6SWf4S3uQCTw6dLeMna25YIlPh5qPA6I/pAahe8e3nSu2ckl
 -----END RSA PRIVATE KEY-----
 ",
-                oidcServicePublicKeySig => "-----BEGIN PUBLIC KEY-----
+            oidcServicePublicKeySig => "-----BEGIN PUBLIC KEY-----
 MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs2jsmIoFuWzMkilJaA8/
 /5/T30cnuzX9GImXUrFR2k9EKTMtGMHCdKlWOl3BV+BTAU9TLz7Jzd/iJ5GJ6B8T
 rH1PHFmHpy8/qE/S5OhinIpIi7ebABqnoVcwDdCa8ugzq8k8SWxhRNXfVIlwz4NH
@@ -118,13 +118,13 @@ kX5rx0h5SslG3jVWYhZ/SOb2aIzOr0RMjhQmsYRwbpt3anjlBZ98aOzg7GAkbO80
 GQIDAQAB
 -----END PUBLIC KEY-----
 ",
-            }
         }
-    );
+    }
+);
 my $res;
 
 # Authenticate to LLNG
-my $url = "/";
+my $url   = "/";
 my $query = "user=french&password=french";
 ok(
     $res = $op->_post(
@@ -139,11 +139,12 @@ count(1);
 my $idpId = expectCookie($res);
 
 # Get code for RP1
-my $query="response_type=code&scope=openid%20profile%20email&client_id=rpid&state=af0ifjsldkj&redirect_uri=http%3A%2F%2Frp2.com%2F";
+my $query =
+"response_type=code&scope=openid%20profile%20email&client_id=rpid&state=af0ifjsldkj&redirect_uri=http%3A%2F%2Frp2.com%2F";
 ok(
     $res = $op->_get(
         "/oauth2/authorize",
-        query => "$query",
+        query  => "$query",
         accept => 'text/html',
         cookie => "lemonldap=$idpId",
     ),
@@ -151,10 +152,11 @@ ok(
 );
 count(1);
 
-my ( $code ) = expectRedirection( $res, qr#http://rp2\.com/.*code=([^\&]*)#);
+my ($code) = expectRedirection( $res, qr#http://rp2\.com/.*code=([^\&]*)# );
 
 # Play code on RP2
-$query="grant_type=authorization_code&code=$code&redirect_uri=http%3A%2F%2Frp2.com%2F";
+$query =
+"grant_type=authorization_code&code=$code&redirect_uri=http%3A%2F%2Frp2.com%2F";
 
 ok(
     $res = $op->_post(
@@ -163,7 +165,7 @@ ok(
         accept => 'text/html',
         length => length($query),
         custom => {
-            HTTP_AUTHORIZATION => "Basic ". encode_base64("rp2id:rp2secret"),
+            HTTP_AUTHORIZATION => "Basic " . encode_base64("rp2id:rp2secret"),
         },
     ),
     "Post token"
@@ -171,11 +173,12 @@ ok(
 count(1);
 
 # Expect an invalid request
-ok ($res->[0] = 400);
+is( $res->[0], 400 );
 count(1);
 
 # Play code on RP1
-$query="grant_type=authorization_code&code=$code&redirect_uri=http%3A%2F%2Frp2.com%2F";
+$query =
+"grant_type=authorization_code&code=$code&redirect_uri=http%3A%2F%2Frp2.com%2F";
 
 ok(
     $res = $op->_post(
@@ -184,15 +187,15 @@ ok(
         accept => 'text/html',
         length => length($query),
         custom => {
-            HTTP_AUTHORIZATION => "Basic ". encode_base64("rpid:rpsecret"),
+            HTTP_AUTHORIZATION => "Basic " . encode_base64("rpid:rpsecret"),
         },
     ),
     "Post token"
 );
 count(1);
-my $json = from_json($res->[2]->[0]);
+my $json  = from_json( $res->[2]->[0] );
 my $token = $json->{access_token};
-ok($token, 'Access token present');
+ok( $token, 'Access token present' );
 count(1);
 sleep(2);
 
@@ -203,13 +206,13 @@ ok(
         accept => 'text/html',
         length => 0,
         custom => {
-            HTTP_AUTHORIZATION => "Bearer ". $token,
+            HTTP_AUTHORIZATION => "Bearer " . $token,
         },
     ),
     "Post userinfo"
 );
 count(1);
-ok($res->[0] == 401, "Access denied with expired token");
+is( $res->[0], 401, "Access denied with expired token" );
 count(1);
 
 clean_sessions();

lemonldap-ng-portal/t/41-Captcha.t

@@ -6,7 +6,7 @@ require 't/test-lib.pm';
 
 my $res;
 
-my $maintests = 16;
+my $maintests = 17;
 SKIP: {
     eval 'use GD::SecurityImage;use Image::Magick;';
     if ($@) {
@@ -15,11 +15,12 @@ SKIP: {
 
     my $client = LLNG::Manager::Test->new( {
             ini => {
-                logLevel              => 'error',
+                logLevel                  => 'error',
-                useSafeJail           => 1,
+                useSafeJail               => 1,
-                loginHistoryEnabled   => 1,
+                browsersDontStorePassword => 1,
-                captcha_login_enabled => 1,
+                loginHistoryEnabled       => 1,
-                portalMainLogo        => 'common/logos/logo_llng_old.png',
+                captcha_login_enabled     => 1,
+                portalMainLogo            => 'common/logos/logo_llng_old.png',
             }
         }
     );
@@ -31,6 +32,12 @@ SKIP: {
 
     ok( $res = $client->_get( '/', accept => 'text/html' ), 'Unauth request' );
     my ( $host, $url, $query ) = expectForm( $res, '#', undef, 'token' );
+    ok(
+        $res->[2]->[0] =~
+m%<input name="password" type="text" class="form-control key" trplaceholder="password" autocomplete="off" required aria-required="true"/>%,
+        'Password: Found text input'
+    );
+
     $query =~ s/.*\btoken=([^&]+).*/token=$1/;
     my $token;
     ok( $token = $1, ' Token value is defined' );

lemonldap-ng-portal/t/41-Token.t

@@ -21,6 +21,13 @@ ok( $res = $client->_get( '/', accept => 'text/html' ), 'Unauth request' );
 count(1);
 
 my ( $host, $url, $query ) = expectForm( $res, '#', undef, 'token' );
+ok(
+    $res->[2]->[0] =~
+m%<input name="password" type="password" class="form-control" trplaceholder="password" required aria-required="true"/>%,
+    'Password: Found password input'
+);
+count(1);
+
 $query =~ s/.*\b(token=[^&]+).*/$1/;
 
 # Try to auth without token

lemonldap-ng-portal/t/43-MailPasswordReset-Combination-LDAP.t

@@ -0,0 +1,112 @@
+use Test::More;
+use strict;
+use IO::String;
+
+BEGIN {
+    eval {
+        require 't/test-lib.pm';
+        require 't/smtp.pm';
+    };
+}
+
+my ( $res, $user, $pwd );
+my $maintests = 8;
+my $mailSend  = 0;
+
+my $mail2 = 0;
+
+SKIP: {
+    eval
+      'require Email::Sender::Simple;use GD::SecurityImage;use Image::Magick;';
+    if ($@) {
+        skip 'Missing dependencies', $maintests;
+    }
+
+    skip 'LLNGTESTLDAP is not set', $maintests unless ( $ENV{LLNGTESTLDAP} );
+    require 't/test-ldap.pm';
+
+    my $client = LLNG::Manager::Test->new( {
+            ini => {
+                logLevel                   => 'error',
+                useSafeJail                => 1,
+                portalDisplayRegister      => 1,
+                authentication             => 'Combination',
+                userDB                     => 'Same',
+                passwordDB                 => 'LDAP',
+                ldapServer                 => 'ldap://127.0.0.1:19389/',
+                ldapBase                   => 'ou=users,dc=example,dc=com',
+                managerDn                  => 'cn=admin,dc=example,dc=com',
+                managerPassword            => 'admin',
+                captcha_mail_enabled       => 0,
+                portalDisplayResetPassword => 1,
+                combModules                => {
+                    'LDAP' => { 'for' => 0, 'type' => 'LDAP' },
+                    'Demo' => { 'for' => 0, 'type' => 'Demo' }
+                },
+                combination => '[LDAP, LDAP] or [Demo, Demo]',
+            }
+        }
+    );
+
+    # Test form
+    # ------------------------
+    ok( $res = $client->_get( '/resetpwd', accept => 'text/html' ),
+        'Reset form', );
+    my ( $host, $url, $query ) = expectForm( $res, '#', undef, 'mail' );
+
+    $query = 'mail=dwho%40badwolf.org';
+
+    # Post email
+    ok(
+        $res = $client->_post(
+            '/resetpwd', IO::String->new($query),
+            length => length($query),
+            accept => 'text/html'
+        ),
+        'Post mail'
+    );
+
+    ok( mail() =~ m#a href="http://auth.example.com/resetpwd\?(.*?)"#,
+        'Found link in mail' );
+    $query = $1;
+
+    ok(
+        $res =
+          $client->_get( '/resetpwd', query => $query, accept => 'text/html' ),
+        'Post mail token received by mail'
+    );
+    ( $host, $url, $query ) = expectForm( $res, '#', undef, 'token' );
+    ok( $res->[2]->[0] =~ /newpassword/s, ' Ask for a new password' );
+
+    $query .= '&newpassword=zz&confirmpassword=zz';
+
+    # Post new password
+    ok(
+        $res = $client->_post(
+            '/resetpwd', IO::String->new($query),
+            length => length($query),
+            accept => 'text/html'
+        ),
+        'Post new password'
+    );
+
+    ok( mail() =~ /Your password was changed/, 'Password was changed' );
+
+    ok(
+        $res = $client->_post(
+            '/',
+            IO::String->new('user=dwho&password=zz'),
+            length => 21
+        ),
+        'Auth query'
+    );
+    expectOK($res);
+    my $id = expectCookie($res);
+
+    $client->logout($id);
+
+    #print STDERR Dumper($query);
+}
+count($maintests);
+stopLdapServer() if $ENV{LLNGTESTLDAP};
+done_testing( count() );