Fix CrowdSec plugin (#2817)

for users who need to upgrade from very old versions

.gitlab-ci.yml

@@ -61,6 +61,8 @@ build_centos_8:
   extends: .build_job
   image: buildpkg/centos:8
   script:
+     - sed -i 's/mirrorlist/#mirrorlist/g' /etc/yum.repos.d/CentOS-*
+     - sed -i 's|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g' /etc/yum.repos.d/CentOS-*
      - yum-config-manager --enable PowerTools
      - yum-config-manager --enable AppStream
      - yum -y install epel-release

AUTHORS

@@ -27,4 +27,4 @@ Past and present contributors:
   * Mame Dieynaba SENE
   * Habib ZITOUNI
 
-See http://lemonldap-ng.org/contact#the_team
+See https://lemonldap-ng.org/team.html

CONTRIBUTING.md

@@ -3,4 +3,4 @@
 * Repository, issues,... : https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng
 * Translations :
   * software : https://www.transifex.com/lemonldapng/lemonldapng/
-  * documentation : since 2.0, LLNG community supports only english doc
+  * documentation : since 2.0, LL::NG community supports only english doc

COPYING

@@ -4,22 +4,22 @@ Upstream-Contact: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues
 Source: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/tags?sort=updated_desc
 
 Files: *
-Copyright: 2005-2020, Xavier Guimard <yadd@debian.org>
- 2006-2020, Clement Oudot <clem.oudot@gmail.com>
+Copyright: 2005-2022, Xavier Guimard <yadd@debian.org>
+ 2006-2022, Clement Oudot <clem.oudot@gmail.com>
+ 2018-2022, Christophe Maudoux <chrmdx@gmail.com>
+ 2019-2022, Maxime Besson <maxime.besson@worteks.com>
  2008, Mikael Ates <mikael.ates@univ-st-etienne.fr>
  2008-2011, Thomas Chemineau <thomas.chemineau@gmail.com>
  2012-2013, Sandro Cazzaniga <cazzaniga.sandro@gmail.com>
  2012-2015, François-Xavier Deltombe <fxdeltombe@gmail.com>
- 2012-2019, David Coutadeur <david.coutadeur@gmail.com>
- 2018-2020, Christophe Maudoux <chrmdx@gmail.com>
- 2019-2020, Maxime Besson <maxime.besson@worteks.com>
+ 2012-2021, David Coutadeur <david.coutadeur@gmail.com>
  2019, Soisik Frogier <soisik.froger@worteks.com>
  2019, Mame Dieynaba Sene <msene@linagora.com>
- 2019, Antoine Rosier <lemonldap@mon-refuge.fr>
- 2005-2020, Gendarmerie nationale <https://www.gendarmerie.interieur.gouv.fr>
+ 2019-2021, Antoine Rosier <lemonldap@mon-refuge.fr>
+ 2005-2022, Gendarmerie nationale <https://www.gendarmerie.interieur.gouv.fr>
  2006-2019, LINAGORA <info@linagora.com>
  2015-2018, Savoir-faire Linux <contact@savoirfairelinux.com>
- 2018-2020, Worteks <info@worteks.com>
+ 2018-2022, Worteks <info@worteks.com>
 License: GPL-2+
 
 Files: lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/PAM.pm
@@ -33,17 +33,23 @@ Copyright: 2011, Tatsuhiko Miyagawa <miyagawa@bulknews.net>
 License: Artistic or GPL-1+
 
 Files: *.js
-Copyright: 2005-2019, Xavier Guimard <yadd@debian.org>
- 2006-2019, Clement Oudot <clem.oudot@gmail.com>
+Copyright: 2005-2022, Xavier Guimard <yadd@debian.org>
+ 2006-2022, Clement Oudot <clem.oudot@gmail.com>
  2008-2012, Thomas Chemineau <thomas.chemineau@gmail.com>
- 2018-2019, Christophe Maudoux <chrmdx@gmail.com>
+ 2018-2022, Christophe Maudoux <chrmdx@gmail.com>
+ 2019-2022, Maxime Besson <maxime.besson@worteks.com>
 License: GPL-2+
 
+Files: lemonldap-ng-portal/site/htdocs/static/bootstrap/webauthn.png
+Copyright: James Cullum <https://github.com/JamesCullum>
+License: WebAuthnLogoLicense
+
 Files: lemonldap-ng-portal/site/htdocs/static/common/js/portal.js
-Copyright: 2005-2019, Xavier Guimard <yadd@debian.org>
- 2006-2019, Clement Oudot <clem.oudot@gmail.com>
+Copyright: 2005-2022, Xavier Guimard <yadd@debian.org>
+ 2006-2022, Clement Oudot <clem.oudot@gmail.com>
  2008-2012, Thomas Chemineau <thomas.chemineau@gmail.com>
- 2018-2019, Christophe Maudoux <chrmdx@gmail.com>
+ 2018-2022, Christophe Maudoux <chrmdx@gmail.com>
+ 2019-2022, Maxime Besson <maxime.besson@worteks.com>
 License: GPL-2+
 Comment: a little part of it comes from JQuery-UI examples
  (https://snipplr.com/view/29434/)
@@ -1268,3 +1274,26 @@ License: BSD-3-clause
  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
  OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
  ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+License: WebAuthnLogoLicense
+ How to Use These Logos
+ .
+ Do these awesome things:
+ .
+  * Use the WebAuthn logo to link to WebAuthn specs or webauthn.org
+  * Use the WebAuthn logo to show that your product or project has built-in WebAuthn integration
+  * Use the WebAuthn logo in a blog post or news article about WebAuthn
+ .
+ Please don't do these things:
+ .
+  x Use the WebAuthn logo for your application’s icon
+  x Create a modified version of the WebAuthn logo
+  x Integrate the WebAuthn logo into your logo
+  x Use any WebAuthn artwork without permission
+  x Sell any WebAuthn artwork without permission
+  x Change the colors, dimensions or add your own text/images
+ .
+ Please contact me
+ .
+  * If you want to use artwork not included in this repository
+  * If you want to use these images in a video/mainstream media

INSTALL

@@ -29,15 +29,10 @@ package for Debian works fine).
 
 1.1.2 - Perl prereq
 
-Perl modules:
-  Apache::Session, Net::LDAP, MIME::Base64, CGI, LWP::UserAgent, Cache::Cache,
-  DBI, XML::Simple, SOAP::Lite, HTML::Template, XML::LibXML, XML::LibXSLT
+Perl modules: use `perl scripts/dependencies-list.pl` to see needed list
 
 With Debian:
-  apt-get install libapache-session-perl libnet-ldap-perl libcache-cache-perl \
-                  libdbi-perl perl-modules libwww-perl libcache-cache-perl \
-                  libxml-simple-perl libhtml-template-perl libsoap-lite-perl \
-                  libxml-libxml-perl libxml-libxslt-perl
+  apt-get build-dep lemonldap-ng
 
 1.2 - BUILDING
 --------------
@@ -52,6 +47,8 @@ With Debian:
 By default, all is installed in /usr/local/lemonldap-ng except Perl libraries
 which are installed in a directory included in @INC.
 
+Documentation is then available in /usr/local/lemonldap-ng/doc
+
 1.2.2 - Install on Debian
 
   $ tar xzf lemonldap-ng-*.tar.gz
@@ -62,223 +59,4 @@ which are installed in a directory included in @INC.
 Here, all is installed in /var/lib/lemonldap-ng, /etc/lemonldap-ng except Perl
 libraries which are installed in /usr/share/perl5/Lemonldap/NG/
 
-1.3 - EXAMPLE CONFIGURATION
----------------------------
-
-If you have build Debian packages, configuration is done by Debconf. See
-/usr/share/doc/liblemonldap-ng-common/README.Debian to use it.
-
-After build, you have a new file named example/apache.conf. You just have to
-include this file in Apache configuration:
-
-  # in httpd.conf (with Apache1)
-  include /path/to/lemonldap-ng/source/example/apache.conf
-  # or in apache2.conf (with Apache2)
-  include /path/to/lemonldap-ng/source/example/apache2.conf
-
-Modify your /etc/hosts file to include:
-
-  127.0.0.1 auth.example.com test1.example.com manager.example.com test2.example.com
-
-Use a browser to connect to http://manager.example.com/ and specify your LDAP
-settings. If you don't set managerDn and managerPassword, Lemonldap::NG will
-use an anonymous bind to find user dn.
-
-Next, restart Apache use your prefered browser and try to connect to
-http://test1.example.com/. You'll be redirect to auth.example.com. Try
-to authenticate yourself with a valid account and the protected page will
-appear. You will find other explanations on this page.
-
-the file /usr/local/lemonldap-ng/etc/storage.conf
-(/etc/lemonldap-ng/storage.conf on Debian systems) can be modified to change
-configuration database.
-
--------------------------
-2 - ADVANCED INSTALLATION
--------------------------
-
-It is recommended to install the example first then to adapt it.
-
-2.1 - PREREQ
-
-2.1.1 - Apache
-
-To use Lemonldap::NG, you have to run a LDAP server and of course an Apache
-server compiled with mod-perl (version 1.3 or 2.x). Generaly, the version of
-Apache proposed with your Linux distribution match, but some distributions used
-an experimental version of mod_perl with Apache2 (mod_perl-1.99) which does
-not work with Lemonldap::NG. With such distributions (like Debian-3.1), you
-have to use Apache-1.3 or to use a mod_perl backport (www.backports.org
-package for Debian works fine).
-
-For Apache2, you can use both mpm-worker and mpm-prefork. Mpm-worker works
-faster and Lemonldap::NG use the thread system for best performance. If you
-have to use mpm-prefork (for example if you use PHP), Lemonldap::NG will work
-anyway.
-
-You can use Lemonldap::NG in an heterogene world: the authentication portal and
-the manager can work in any version of Apache 1.3 or more even if mod_perl is
-not compiled, with ModPerl::Registry or not... Only the handler (site protector)
-need mod_perl. The different handlers can run on different servers with
-different versions of Apache/mod_perl.
-
-2.1.2 - Perl prereq
-
-Warning: Handler and Portal parts both need Lemonldap::NG::Manager components
-to access to configuration.
-
-Manager:
---------
-Apache::Session, MIME::Base64, CGI, LWP::UserAgent, DBI, XML::Simple,
-SOAP::Lite, XML::LibXML, XML::LibXSLT, Lemonldap::NG::Common
-
-With Debian:
-  apt-get install perl-modules libxml-simple-perl libdbi-perl libwww-perl
-  # If you want to use SOAP
-  apt-get install libsoap-lite-perl
-
-Portal:
--------
-Apache::Session, Net::LDAP, MIME::Base64, CGI, Cache::Cache, DBI, XML::Simple,
-SOAP::Lite, HTML::Template, XML::LibXML, Lemonldap::NG::Common
-
-With Debian:
-  apt-get install libapache-session-perl libnet-ldap-perl perl-modules
-
-Handler:
---------
-Apache::Session, MIME::Base64, CGI, LWP::UserAgent, Cache::Cache, DBI,
-XML::Simple, SOAP::Lite, Lemonldap::NG::Common
-
-With Debian:
-  apt-get install libapache-session-perl libwww-perl libcache-cache-perl
-
-2.2 - SOFTWARE INSTALLATION
----------------------------
-
-If you just want to install a handler or a portal or a manager:
-
-  $ tar xzf lemonldap-ng-*.tar.gz
-  $ cd lemonldap-ng-*/Lemonldap-NG-(Portal|Handler|Manager)
-  $ perl Makefile.PL && make && make test
-  $ sudo make install
-
-else for a complete install:
-
-  $ tar xzf lemonldap-ng-*.tar.gz
-  $ cd lemonldap-ng-*
-  $ make && make test
-  $ sudo make install
-
-See prereq in §1.1.2
-
-2.3 - LEMONLDAP::NG INSTALLATION
---------------------------------
-
-2.3.1 - Database configuration
-
-2.3.1.1 - Lemonldap::NG Configuration database
-
-If you use DBI or another system to share Lemonldap::NG configuration, you have
-to initialize the database. An example is given in example/lmConfig.mysql for
-MySQL.
-
-2.3.1.2 - Apache::Session database
-
-The choice of Apache::Session::* module is free. See Apache::Session::Store::*
-or Apache::Session::* to know how to configure the module. For example, if you
-want to use Apache::Session::MySQL, you can create the database like this:
-
-  CREATE DATABASE sessions (
-    id char(32),
-    a_session text
-  );
-
-2.3.2 - Manager configuration
-
-Copy example/manager.cgi and personalize it if you want (see
-Lemonldap::NG::Manager). You have to set in particular configStorage. For
-example with MySQL:
-
-  $my $manager = Lemonldap::NG::Manager->new ( {
-                        dbiChain   => "DBI:mysql:database=mybase;host=1.2.3.4",
-                        dbiUser    => "lemonldap-ng",
-                        dbiPassword => "mypass",
-                 } );
-
-Securise Manager access with Apache: Lemonldap::NG does not securise the manager
-itself yet:
-
-  SSLEngine On
-  Order Deny, Allow
-  Deny from all
-  Allow from admin-network/netmask
-  AuthType Basic
-  ...
-
-After configuration, you can also protect the manager with an Lemonldap::NG
-handler.
-
-2.3.3 - Configuration edition
-
-Connect to the manager with your browser start configure your Web-SSO. You have
-to set at least some parameters:
-
-a) General parameters :
-
- * Authentication parameters -> portal : URL to access to the authentication
-                                         portal
- * Domain : the cookie domain. All protected VirtualHosts have to be under it
-
- * LDAP parameters -> LDAP Server
-
- * LDAP parameters -> LDAP Accout and password : required only if anonymous
-                                                 binds are not accepted
-
- * Session Storage -> Apache::Session module : how to store user sessions.
-                                               You can use all module that
-                                               inherit from Apache::Session
-                                               like Apache::Session::MySQL
-
- * Session Storage -> Apache::Session Module parameters :
-                                        see Apache::Session::<Choosen module>
-
-b) User groups :
-
-Use the "New Group" button to add your first group. On the left, set the
-keyword which will be used later and set on the right the corresponding rule:
-you can use :
-
- * an LDAP filter (it will be tested with the user uid)
-
-or
-
- * a Perl condition enclosed with {}. All variables declared in "General
-   parameters -> LDAP attributes" can be used with a "$". For example:
-   MyGroup  /  { $uid eq "foo" or $uid eq "bar" }
-
-c) Virtual hosts
-
-You have to create a virtual host for each Apache host (virtual or real)
-protected by Lemonldap::NG even if just a sub-directory is protected. Else,
-user who want to access to the protected area will be rejected with a "500
-Internal Server Error" message and the apache logs will explain the problem.
-
-Each virtual host has 2 groups of parameters:
-
- * Headers: the headers added to the apache request. Default :
-            Auth-User => $uid
- * Rules: subdivised in 2 categories:
-          * default : the default rule
-          * personalized rules: association of a Perl regular expression and
-                                a condition. For example:
-                                ^/restricted.*$  /  $groups =~ /\bMyGroup\b/
-
-
--------------
-3 - DEBUGGING
--------------
-
-Lemonldap::NG uses simply the Apache log system. So use LogLevel to choose
-information to display.
-
+Documentation is then available in /usr/share/doc/lemonldap-ng

Makefile

@@ -36,6 +36,8 @@ LISTCOMPRESSED=tar tzf
 COMPRESSSUFFIX=tar.gz
 NGINX=/usr/sbin/nginx
 UGLIFYJSVERSION:=$(shell uglifyjs --version|perl -pe 's/^[^\d]*(\d).*$$/$$1/')
+CHOWN=chown
+CHMOD=chmod
 
 # Default directories install
 # ---------------------------
@@ -63,6 +65,7 @@ MANAGERSITEDIR=$(MANAGERDIR)/htdocs
 MANAGERAPIDIR=$(MANAGERDIR)/api
 MANAGERSTATICDIR=$(MANAGERSITEDIR)/static
 MANAGERRELATIVESTATICDIR=/static
+MANAGERRELATIVEDOCDIR=/doc
 MANAGERTEMPLATESDIR=$(MANAGERSITEDIR)/templates
 DOCDIR=$(DOCUMENTROOT)
 DEFDOCDIR=$(DOCUMENTROOT)/doc
@@ -473,6 +476,7 @@ e2e-tests/conf/apache2.pid: start_web_server
 
 start_web_server:	all prepare_test_server
 	# Clean old server if launched
+	mkdir -p e2e-tests/conf
 	@if test "$(TESTBACKEND)" = "DBI"; then \
 		echo 'create table lmConfig (cfgNum int, data text);'|sqlite3 e2e-tests/conf/config.db; \
 		echo 'create table sessions (id text, a_session text, LastUpdated int);'|sqlite3 e2e-tests/conf/sessions.db; \
@@ -645,6 +649,7 @@ install_bin:	install_conf_dir
 		${SRCPORTALDIR}/scripts/llngDeleteSession \
 		${SRCCOMMONDIR}/scripts/convertConfig \
 		${SRCCOMMONDIR}/scripts/convertSessions \
+		${SRCCOMMONDIR}/scripts/encryptTotpSecrets \
 		${SRCCOMMONDIR}/scripts/lmMigrateConfFiles2ini \
 		${SRCCOMMONDIR}/scripts/rotateOidcKeys \
 		${SRCMANAGERDIR}/scripts/lmConfigEditor \
@@ -674,12 +679,12 @@ install_bin:	install_conf_dir
 			$(RBINDIR)/lemonldap-ng-cli \
 			$(RBINDIR)/lemonldap-ng-sessions; \
 	fi
-	@chmod +x $(RBINDIR)/*
+	@$(CHMOD) +x $(RBINDIR)/*
 
 install_fastcgi_server:
 	@install -v -d $(RSBINDIR) $(RINITDIR) $(RETCDEFAULTDIR) $(RFASTCGISOCKDIR)
 	@cp -f fastcgi-server/sbin/llng-fastcgi-server $(RSBINDIR)
-	@chmod +x $(RSBINDIR)/llng-fastcgi-server
+	@$(CHMOD) +x $(RSBINDIR)/llng-fastcgi-server
 	@cp -f fastcgi-server/rc/llng-fastcgi-server $(RINITDIR)
 	@cp -f fastcgi-server/default/llng-fastcgi-server $(RETCDEFAULTDIR)
 	@$(PERL) -pi -e 's#__SBINDIR__#$(SBINDIR)#;s#__DEFAULTDIR__#$(ETCDEFAULTDIR)#;s#__FASTCGISOCKDIR__#$(FASTCGISOCKDIR)#g;' \
@@ -697,13 +702,13 @@ install_fastcgi_server:
 		$(PERL) -pi -e 's#__GROUP__#$(FASTCGIGROUP)#' $(RETCDEFAULTDIR)/llng-fastcgi-server; \
 	fi
 	@if [ "$(FASTCGIUSER)" != "" ]; then \
-		chown $(FASTCGIUSER) $(RFASTCGISOCKDIR) || exit 1; \
+		$(CHOWN) $(FASTCGIUSER) $(RFASTCGISOCKDIR) || exit 1; \
 		if [ "$(FASTCGIGROUP)" != "" ]; then \
 			chgrp $(FASTCGIGROUP) $(RFASTCGISOCKDIR) || exit 1; \
 		fi; \
-		chmod 770 $(RFASTCGISOCKDIR); \
+		$(CHMOD) 770 $(RFASTCGISOCKDIR); \
 	else \
-		chmod 777 $(RFASTCGISOCKDIR); \
+		$(CHMOD) 777 $(RFASTCGISOCKDIR); \
 	fi
 
 install_uwsgi_server:
@@ -723,7 +728,7 @@ install_site:	install_manager_site install_portal_site install_handler_site inst
 	fi
 	@$(PERL) -i -pe 's/__DNSDOMAIN__/$(DNSDOMAIN)/g' $(RCONFDIR)/for_etc_hosts
 	# Fix a lost of rights on the main directory
-	@chmod 755 $(RBINDIR) $(RDOCUMENTROOT) $(REXAMPLESDIR) $(RHANDLERDIR) $(RPORTALSTATICDIR) $(RMANAGERSITEDIR) $(RMANAGERAPIDIR) $(RTOOLSDIR) $(RCONFDIR) $(RDATADIR)
+	@$(CHMOD) 755 $(RBINDIR) $(RDOCUMENTROOT) $(REXAMPLESDIR) $(RHANDLERDIR) $(RPORTALSTATICDIR) $(RMANAGERSITEDIR) $(RMANAGERAPIDIR) $(RTOOLSDIR) $(RCONFDIR) $(RDATADIR)
 	@echo
 	@echo "LemonLDAP::NG v${VERSION} is installed with these parameters:"
 	@echo "  - System configuration: ${CONFDIR}"
@@ -802,6 +807,7 @@ install_manager_site:	install_conf_dir
 	@rm -rf $$(find ${RMANAGERSTATICDIR} \
 		$(RMANAGERTEMPLATESDIR) $(RCONFDIR) -type d -name .svn)
 	@$(PERL) -i -pe 's#__MANAGERSTATICDIR__#$(MANAGERRELATIVESTATICDIR)#g' $(RCONFDIR)/$(CONFFILENAME)
+	@$(PERL) -i -pe 's#__MANAGERDOCDIR__#$(MANAGERRELATIVEDOCDIR)#g' $(RCONFDIR)/$(CONFFILENAME)
 	@$(PERL) -i -pe 's#__MANAGERTEMPLATESDIR__#$(MANAGERTEMPLATESDIR)#g' $(RCONFDIR)/$(CONFFILENAME)
 
 install_portal_site:	install_conf_dir
@@ -884,23 +890,9 @@ install_examples_site:
 install_doc_site:
 	# Offline documentation install
 	@rm -rf $(RDEFDOCDIR)
-	# Install doc directories
 	@install -v -d -m 755 $(RDEFDOCDIR)
-	@cd doc && find * -type d |(cd $(RDEFDOCDIR); xargs install -v -d -m 755) && cd -
-	# Install HTML files
-	@cd doc && for f in `find * -type f -name '*.html'`; do \
-		echo "Installing $$f"; \
-		../scripts/transform-templates \
-			usedebianlibs $(USEDEBIANLIBS) \
-			useexternallibs $(USEEXTERNALLIBS) \
-			jsminified $(JSCOMPRESS) \
-			cssminified $(CSSCOMPRESS) <$$f \
-		> $(RDEFDOCDIR)/$$f; \
-	done && cd -
-	# Install other files
-	@cd doc && for f in `find * -type f ! -name '*.html'`; do \
-		install -v -m 644 $$f $(RDEFDOCDIR)/$$f; \
-	done && cd -
+	@cd doc && find index.html pages/* -type f ! -path '*/.*' -exec install -v -m 644 -D '{}' $(RDEFDOCDIR)/'{}' \; && cd -
+
 	# Remove js
 	@cd $(RDEFDOCDIR) && if test "$(USEEXTERNALLIBS)" = "yes"; then \
 		rm -rvf $(DOCEXTERNALLIBS); \
@@ -922,13 +914,13 @@ install_conf_dir:	install_sessions_dir install_notif_dir install_captcha_dir ins
 		s#__NOTIFICATIONDIR__#$(APACHEFILENOTIFDIR)#g;\
 		s#__CACHEDIR__#$(CACHEDIR)#g;' $(RFILECONFIGDIR)/lmConf-1.json
 	@if [ "$(APACHEUSER)" != "" ]; then \
-		chown $(APACHEUSER) $(RFILECONFIGDIR) || exit 1; \
+		$(CHOWN) $(APACHEUSER) $(RFILECONFIGDIR) || exit 1; \
 		if [ "$(APACHEGROUP)" != "" ]; then \
 			chgrp $(APACHEGROUP) $(RFILECONFIGDIR) || exit 1; \
 		fi; \
-		chmod 770 $(RFILECONFIGDIR); \
+		$(CHMOD) 770 $(RFILECONFIGDIR); \
 	else \
-		chmod 777 $(RFILECONFIGDIR); \
+		$(CHMOD) 777 $(RFILECONFIGDIR); \
 	fi
 	@cp $(SRCCOMMONDIR)/tools/lmConfig.* $(SRCCOMMONDIR)/tools/apache-session-mysql.sql $(RTOOLSDIR)
 	@cp $(SRCCOMMONDIR)/tools/sso.schema $(RTOOLSDIR)
@@ -940,52 +932,52 @@ install_sessions_dir:
 	@install -m 777 -v -d $(RAPACHESESSIONFILEDIR) $(RAPACHESESSIONFILELOCKDIR) $(RAPACHEPSESSIONFILEDIR) $(RAPACHEPSESSIONFILELOCKDIR)
 	# Fix Apache::Session directories permissions
 	@if [ "$(APACHEUSER)" != "" ]; then \
-		chown $(APACHEUSER) $(RAPACHESESSIONFILEDIR) $(RAPACHESESSIONFILELOCKDIR) $(RAPACHEPSESSIONFILEDIR) $(RAPACHEPSESSIONFILELOCKDIR) || exit 1; \
+		$(CHOWN) $(APACHEUSER) $(RAPACHESESSIONFILEDIR) $(RAPACHESESSIONFILELOCKDIR) $(RAPACHEPSESSIONFILEDIR) $(RAPACHEPSESSIONFILELOCKDIR) || exit 1; \
 		if [ "$(APACHEGROUP)" != "" ]; then \
 			chgrp $(APACHEGROUP) $(RAPACHESESSIONFILEDIR) $(RAPACHESESSIONFILELOCKDIR) $(RAPACHEPSESSIONFILEDIR) $(RAPACHEPSESSIONFILELOCKDIR) || exit 1; \
 		fi; \
-		chmod 770 $(RAPACHESESSIONFILEDIR) $(RAPACHESESSIONFILELOCKDIR) $(RAPACHEPSESSIONFILEDIR) $(RAPACHEPSESSIONFILELOCKDIR); \
+		$(CHMOD) 770 $(RAPACHESESSIONFILEDIR) $(RAPACHESESSIONFILELOCKDIR) $(RAPACHEPSESSIONFILEDIR) $(RAPACHEPSESSIONFILELOCKDIR); \
 	else \
-		chmod 777 $(RAPACHESESSIONFILEDIR) $(RAPACHESESSIONFILELOCKDIR) $(RAPACHEPSESSIONFILEDIR) $(RAPACHEPSESSIONFILELOCKDIR); \
+		$(CHMOD) 777 $(RAPACHESESSIONFILEDIR) $(RAPACHESESSIONFILELOCKDIR) $(RAPACHEPSESSIONFILEDIR) $(RAPACHEPSESSIONFILELOCKDIR); \
 	fi
 
 install_notif_dir:
 	@install -m 777 -v -d $(RFILENOTIFDIR)
 	# Fix notifications directory permissions
 	@if [ "$(APACHEUSER)" != "" ]; then \
-		chown $(APACHEUSER) $(RFILENOTIFDIR) || exit 1; \
+		$(CHOWN) $(APACHEUSER) $(RFILENOTIFDIR) || exit 1; \
 		if [ "$(APACHEGROUP)" != "" ]; then \
 			chgrp $(APACHEGROUP) $(RFILENOTIFDIR) || exit 1; \
 		fi; \
-		chmod 770 $(RFILENOTIFDIR); \
+		$(CHMOD) 770 $(RFILENOTIFDIR); \
 	else \
-		chmod 777 $(RFILENOTIFDIR); \
+		$(CHMOD) 777 $(RFILENOTIFDIR); \
 	fi
 
 install_captcha_dir:
 	@install -m 777 -v -d $(RCAPTCHADIR)
 	# Fix captcha directory permissions
 	@if [ "$(APACHEUSER)" != "" ]; then \
-		chown $(APACHEUSER) $(RCAPTCHADIR) || exit 1; \
+		$(CHOWN) $(APACHEUSER) $(RCAPTCHADIR) || exit 1; \
 		if [ "$(APACHEGROUP)" != "" ]; then \
 			chgrp $(APACHEGROUP) $(RCAPTCHADIR) || exit 1; \
 		fi; \
-		chmod 770 $(RCAPTCHADIR); \
+		$(CHMOD) 770 $(RCAPTCHADIR); \
 	else \
-		chmod 777 $(RCAPTCHADIR); \
+		$(CHMOD) 777 $(RCAPTCHADIR); \
 	fi
 
 install_cache_dir:
 	@install -m 777 -v -d $(RCACHEDIR)
 	# Fix captcha directory permissions
 	@if [ "$(APACHEUSER)" != "" ]; then \
-		chown $(APACHEUSER) $(RCACHEDIR) || exit 1; \
+		$(CHOWN) $(APACHEUSER) $(RCACHEDIR) || exit 1; \
 		if [ "$(APACHEGROUP)" != "" ]; then \
 			chgrp $(APACHEGROUP) $(RCACHEDIR) || exit 1; \
 		fi; \
-		chmod 770 $(RCACHEDIR); \
+		$(CHMOD) 770 $(RCACHEDIR); \
 	else \
-		chmod 777 $(RCACHEDIR); \
+		$(CHMOD) 777 $(RCACHEDIR); \
 	fi
 
 postconf_hosts:
@@ -1088,7 +1080,7 @@ dist:	clean
 	@cp -pRH $$(find * -maxdepth 0|grep -v -e "lemonldap-ng-$(VERSION)") lemonldap-ng-$(VERSION)
 	@find $$dir -name '*.bak' -delete
 	@rm -rf lemonldap-ng-$(VERSION)/lemonldap-ng-$(VERSION)
-	@rm -rf lemonldap-ng-$(VERSION)/node_modules
+	@find lemonldap-ng-$(VERSION)/ -name node_modules -exec rm -rf '{}' \;
 	@$(COMPRESS) lemonldap-ng-$(VERSION).$(COMPRESSSUFFIX) lemonldap-ng-$(VERSION)
 	@rm -rf lemonldap-ng-$(VERSION)
 
@@ -1102,7 +1094,7 @@ debian-dist:	clean
 	@cp lemonldap-ng-$(VERSION)/_example/etc/api-apache2.X.conf lemonldap-ng-$(VERSION)/_example/etc/api-apache2.conf
 	@cp lemonldap-ng-$(VERSION)/_example/etc/test-apache2.X.conf lemonldap-ng-$(VERSION)/_example/etc/test-apache2.conf
 	@rm -rf lemonldap-ng-$(VERSION)/lemonldap-ng-$(VERSION)
-	@rm -rf lemonldap-ng-$(VERSION)/node_modules
+	-@find lemonldap-ng-$(VERSION)/ -name node_modules -exec rm -rf '{}' \;
 	@$(COMPRESS) lemonldap-ng_$(VERSION).orig.$(COMPRESSSUFFIX) lemonldap-ng-$(VERSION)
 	@rm -rf lemonldap-ng-$(VERSION)
 
@@ -1113,7 +1105,7 @@ manifest:   configure
 	@for i in ${SRCCOMMONDIR} ${SRCHANDLERDIR} ${SRCPORTALDIR} ${SRCMANAGERDIR}; do \
 		cd $$i; \
 		rm -vf MANIFEST MANIFEST*bak; \
-		make manifest; \
+		$(MAKE) manifest; \
 		cd -; \
 	done
 	perl -i -ne 'print unless/proverc/' */MANIFEST
@@ -1175,15 +1167,14 @@ test-diff:
 	done
 
 tidy: clean
-	@if perltidy -v|grep v20181120 >/dev/null; then \
-		find lemon*/ -type f \( -name '*.pm' -or -name '*.pl' -or -name '*.fcgi' -or -name '*.t' \) -print -exec perltidy -se -b {} \; ; \
-		else echo "Wrong perltidy version, please install Perl::Tidy@20181120" ; exit 1 ;\
+	@if perltidy -v|grep v20220217 >/dev/null; then \
+		for f in `find lemon*/ -type f \( -name '*.pm' -or -name '*.pl' -or -name '*.fcgi' -or -name '*.t' \)`; do \
+			echo -n $$f; \
+			perltidy -se -b $$f; \
+			echo; \
+		done; \
+	else echo "Wrong perltidy version, please install Perl::Tidy@20220217" ; exit 1 ;\
 	fi
-	for f in `find lemon*/ -type f \( -name '*.pm' -or -name '*.pl' -or -name '*.fcgi' -or -name '*.t' \)`; do \
-		echo -n $$f; \
-		perltidy -se -b $$f; \
-		echo; \
-	done
 	find lemon*/ -name '*.bak' -delete
 	$(MAKE) json
 

RELEASE

@@ -8,6 +8,7 @@ The version
 * changelog: change version in scripts/generate-changelog.pl and run it
 * Main modules (Common.pm/Handler.pm/Portal.pm/Manager.pm)
 * Makefile.PL for cross-dependencies
+* codemeta.json
 
 - Then update packages information with:
 $ make clean && make cpan
@@ -19,6 +20,10 @@ $ make clean && make cpan
 Before release
 --------------
 
+- Run unit tests
+  $ make test
+  $ make LLNGTESTLDAP=1 LLNGTESTLDAP_SLAPD_BIN=/usr/local/openldap/libexec/slapd LLNGTESTLDAP_SLAPADD_BIN=/usr/local/openldap/sbin/slapadd LLNGTESTLDAP_SCHEMA_DIR=/usr/local/openldap/etc/openldap/schema/ test
+
 - Update languages (needs a Transifex token)
   $ ./scripts/download_translations
 
@@ -39,6 +44,8 @@ Before release
 
 - Update doc/admin/documentation.rst to display vulnerable packaged versions
 
+- Close the milestone on Gitlab and create a new one
+
 For minor release
 -----------------
 
@@ -113,9 +120,7 @@ Upload on Docker hub
 Site
 ----
 
-- Update links on the download page
-- Close the milestone on Gitlab and create a new one
-- Update admin documentation and API documentation
+- Update version in the download page (see website-landing-page repository)
 
 Spread the word
 ---------------

_example/etc/api-apache2.4.conf

@@ -92,7 +92,4 @@
         Options +FollowSymLinks
         DirectoryIndex index.html start.html
     </Directory>
-
-    # Uncomment this if site if you use SSL only
-    #Header set Strict-Transport-Security "max-age=15768000"
 </VirtualHost>

_example/etc/api-apache2.X.conf

@@ -105,7 +105,4 @@
         Options +FollowSymLinks
         DirectoryIndex index.html start.html
     </Directory>
-
-    # Uncomment this if site if you use SSL only
-    #Header set Strict-Transport-Security "max-age=15768000"
 </VirtualHost>

_example/etc/api-apache2.conf

@@ -94,7 +94,4 @@
         Options +FollowSymLinks
         DirectoryIndex index.html start.html
     </Directory>
-
-    # Uncomment this if site if you use SSL only
-    #Header set Strict-Transport-Security "max-age=15768000"
 </VirtualHost>

_example/etc/api-nginx.conf

@@ -40,9 +40,6 @@ server {
     #uwsgi_param SCRIPT_FILENAME $document_root$sc;
     #uwsgi_param SCRIPT_NAME $sc;
 
-    # Uncomment this if you use https only
-    #add_header Strict-Transport-Security "max-age=15768000";
-
   }
 
   # By default, access to this VHost is denied

_example/etc/handler-apache2.4.conf

@@ -44,9 +44,6 @@ ErrorDocument 503 http://auth.__DNSDOMAIN__/lmerror/503
     #    # an upper PerlHeaderParserHandler directive
     #    #PerlHeaderParserHandler Apache2::Const::DECLINED
     #</Location>
-
-    # Uncomment this if site if you use SSL only
-    #Header set Strict-Transport-Security "max-age=15768000"
 </VirtualHost>
 
 

_example/etc/handler-apache2.X.conf

@@ -61,9 +61,6 @@ ErrorDocument 503 http://auth.__DNSDOMAIN__/lmerror/503
     #    # an upper PerlHeaderParserHandler directive
     #    #PerlHeaderParserHandler Apache2::Const::DECLINED
     #</Location>
-
-    # Uncomment this if site if you use SSL only
-    #Header set Strict-Transport-Security "max-age=15768000"
 </VirtualHost>
 
 

_example/etc/handler-apache2.conf

@@ -51,9 +51,6 @@ ErrorDocument 503 http://auth.__DNSDOMAIN__/lmerror/503
     #    # an upper PerlHeaderParserHandler directive
     #    #PerlHeaderParserHandler Apache2::Const::DECLINED
     #</Location>
-
-    # Uncomment this if site if you use SSL only
-    #Header set Strict-Transport-Security "max-age=15768000"
 </VirtualHost>
 
 

_example/etc/handler-nginx.conf

@@ -41,7 +41,7 @@ server {
     fastcgi_pass unix:__FASTCGISOCKDIR__/llng-fastcgi.sock;
     fastcgi_param LLTYPE reload;
 
-    # OR TO USE uWSGI
+    # Or with uWSGI
     #include /etc/nginx/uwsgi_params;
     #uwsgi_pass 127.0.0.1:5000;
     #uwsgi_param LLTYPE reload;
@@ -50,9 +50,6 @@ server {
   # Client requests
   location / {
     deny all;
-
-    # Uncomment this if you use https only
-    #add_header Strict-Transport-Security "max-age=15768000";
   }
 
   # Uncomment this if status is enabled
@@ -64,7 +61,7 @@ server {
   #  include /etc/nginx/fastcgi_params;
   #  fastcgi_pass unix:__FASTCGISOCKDIR__/llng-fastcgi.sock;
   #  fastcgi_param LLTYPE status;
-  #  # OR TO USE uWSGI
+  #  # Or with uWSGI
   #  #include /etc/nginx/uwsgi_params;
   #  #uwsgi_pass 127.0.0.1:5000;
   #  #uwsgi_param LLTYPE status;

_example/etc/manager-apache2.4.conf

@@ -95,7 +95,4 @@
         Options +FollowSymLinks
         DirectoryIndex index.html start.html
     </Directory>
-
-    # Uncomment this if site if you use SSL only
-    #Header set Strict-Transport-Security "max-age=15768000"
 </VirtualHost>

_example/etc/manager-apache2.X.conf

@@ -114,7 +114,4 @@
         Options +FollowSymLinks
         DirectoryIndex index.html start.html
     </Directory>
-
-    # Uncomment this if site if you use SSL only
-    #Header set Strict-Transport-Security "max-age=15768000"
 </VirtualHost>

_example/etc/manager-apache2.conf

@@ -98,7 +98,4 @@
         Options +FollowSymLinks
         DirectoryIndex index.html start.html
     </Directory>
-
-    # Uncomment this if site if you use SSL only
-    #Header set Strict-Transport-Security "max-age=15768000"
 </VirtualHost>

_example/etc/manager-nginx.conf

@@ -29,15 +29,12 @@ server {
     fastcgi_split_path_info ^(.*\.psgi)(/.*)$;
     fastcgi_param PATH_INFO  $fastcgi_path_info;
 
-    # OR TO USE uWSGI
+    # Or with uWSGI
     #include /etc/nginx/uwsgi_params;
     #uwsgi_pass 127.0.0.1:5000;
     #uwsgi_param LLTYPE psgi;
     #uwsgi_param SCRIPT_FILENAME $document_root$sc;
     #uwsgi_param SCRIPT_NAME $sc;
-
-    # Uncomment this if you use https only
-    #add_header Strict-Transport-Security "max-age=15768000";
   }
 
   location / {

_example/etc/portal-apache2.4.conf

@@ -113,8 +113,5 @@
                 Header append Vary User-Agent env=!dont-vary
         </IfModule>
     </Location>
-
-    # Uncomment this if site if you use SSL only
-    #Header set Strict-Transport-Security "max-age=15768000"
 </VirtualHost>
 

_example/etc/portal-apache2.X.conf

@@ -144,8 +144,5 @@
                 Header append Vary User-Agent env=!dont-vary
         </IfModule>
     </Location>
-
-    # Uncomment this if site if you use SSL only
-    #Header set Strict-Transport-Security "max-age=15768000"
 </VirtualHost>
 

_example/etc/portal-apache2.conf

@@ -110,8 +110,5 @@
                 Header append Vary User-Agent env=!dont-vary
         </IfModule>
     </Location>
-
-    # Uncomment this if site if you use SSL only
-    #Header set Strict-Transport-Security "max-age=15768000"
 </VirtualHost>
 

_example/etc/portal-nginx.conf

@@ -5,9 +5,10 @@
 #  ~/CN=(?<CN>[^/]+) $CN;
 #}
 
-# FastCGI backend definition
+# FastCGI/uWSGI backend definition
 upstream llng_portal_upstream {
     server unix:__FASTCGISOCKDIR__/llng-fastcgi.sock;
+    #server 127.0.0.1:5000;
 }
 
 server {
@@ -44,9 +45,9 @@ server {
     # Uncomment this if you use Auth SSL:
     #fastcgi_param  SSL_CLIENT_S_DN_CN $ssl_client_s_dn_cn;
 
-    # OR TO USE uWSGI
+    # Or with uWSGI
     #include /etc/nginx/uwsgi_params;
-    #uwsgi_pass 127.0.0.1:5000;
+    #uwsgi_pass llng_portal_upstream;
     #uwsgi_param LLTYPE psgi;
     #uwsgi_param SCRIPT_FILENAME $document_root$sc;
     #uwsgi_param SCRIPT_NAME $sc;
@@ -56,30 +57,35 @@ server {
     # REST/SOAP functions for sessions management (disabled by default)
     location ~ ^/index.psgi/adminSessions {
       fastcgi_pass llng_portal_upstream;
+      #uwsgi_pass llng_portal_upstream;
       deny all;
     }
 
     # REST/SOAP functions for proxy auth and password reset (disabled by default)
     location ~ ^/index.psgi/proxy {
       fastcgi_pass llng_portal_upstream;
+      #uwsgi_pass llng_portal_upstream;
       deny all;
     }
 
     # REST/SOAP functions for sessions access (disabled by default)
     location ~ ^/index.psgi/sessions {
       fastcgi_pass llng_portal_upstream;
+      #uwsgi_pass llng_portal_upstream;
       deny all;
     }
 
     # REST/SOAP functions for configuration access (disabled by default)
     location ~ ^/index.psgi/config {
       fastcgi_pass llng_portal_upstream;
+      #uwsgi_pass llng_portal_upstream;
       deny all;
     }
 
     # REST/SOAP functions for notification insertion (disabled by default)
     location ~ ^/index.psgi/notification {
       fastcgi_pass llng_portal_upstream;
+      #uwsgi_pass llng_portal_upstream;
       deny all;
     }
 
@@ -88,9 +94,6 @@ server {
   index index.psgi;
   location / {
     try_files $uri $uri/ =404;
-
-    # Uncomment this if you use https only
-    #add_header Strict-Transport-Security "max-age=15768000";
   }
 
   location /static/ {

_example/etc/test-apache2.4.conf

@@ -41,7 +41,4 @@ PerlModule Lemonldap::NG::Handler::ApacheMP2::Menu
     <IfModule mod_dir.c>
         DirectoryIndex index.pl index.html
     </IfModule>
-
-    # Uncomment this if site if you use SSL only
-    #Header set Strict-Transport-Security "max-age=15768000"
 </VirtualHost>

_example/etc/test-apache2.X.conf

@@ -41,7 +41,4 @@ PerlModule Lemonldap::NG::Handler::ApacheMP2::Menu
     <IfModule mod_dir.c>
         DirectoryIndex index.pl index.html
     </IfModule>
-
-    # Uncomment this if site if you use SSL only
-    #Header set Strict-Transport-Security "max-age=15768000"
 </VirtualHost>

_example/etc/test-apache2.conf

@@ -36,7 +36,4 @@ PerlModule Lemonldap::NG::Handler::ApacheMP2::Menu
     <IfModule mod_dir.c>
         DirectoryIndex index.pl index.html
     </IfModule>
-
-    # Uncomment this if site if you use SSL only
-    #Header set Strict-Transport-Security "max-age=15768000"
 </VirtualHost>

_example/etc/test-nginx.conf

@@ -32,14 +32,17 @@ server {
     #fastcgi_buffers 32 32k;
     
 
-    # OR TO USE uWSGI
+    # Or with uWSGI
     #include /etc/nginx/uwsgi_params;
     #uwsgi_pass 127.0.0.1:5000;
+    # Drop post datas
     #uwsgi_pass_request_body  off;
     #uwsgi_param CONTENT_LENGTH "";
+    # Keep original hostname
     #uwsgi_param HOST $http_host;
+    # Keep original request (LLNG server will receive /lmauth)
     #uwsgi_param X_ORIGINAL_URI $original_uri;
-    # Improve performances
+    ## Improve performances
     #uwsgi_buffer_size 32k;
     #uwsgi_buffers 32 32k;
   }
@@ -88,9 +91,6 @@ server {
     # OR in the corresponding block
     #fastcgi_param HTTP_COOKIE $lmcookie;
 
-    # Uncomment this if you use https only
-    #add_header Strict-Transport-Security "max-age=15768000";
-
     # Set REMOTE_USER and REMOTE_CUSTOM (for FastCGI apps only)
     #fastcgi_param REMOTE_USER $lmremote_user;
     #fastcgi_param REMOTE_CUSTOM $lmremote_custom;

changelog

@@ -1,3 +1,174 @@
+lemonldap-ng (2.0.15.1) jammy; urgency=medium
+
+  * Bugs:
+    * #2796: "Internal Server Error" during MFA flow when using LDAP as UserDB in 2.0.15
+
+ -- Clément <clem.oudot@gmail.com>  Thu, 15 Sep 2022 15:58:47 +0200
+
+lemonldap-ng (2.0.15) jammy; urgency=medium
+
+  * Bugs:
+    * #2615: Redirection issue with Issue SAML + ForceAuthn=true + Kerberos authentication
+    * #2650: Empty SCRIPT_NAME breaks the portal
+    * #2690: Second factor logo/label not used on registration screen
+    * #2708: Auth::OpenIDConnect redirects in a loop when invalid JSON metadata is provided
+    * #2712: 2fSelfRegistration == 0 + 2fActivation == 1 leads to registrable second factor being presented every time
+    * #2714: Session upgrade link in 2FA manager not working
+    * #2716: 2FA registration does not auto-redirect to only available provider after deleting an existing 2FA
+    * #2724: one importMetadata Script default option isn't correct
+    * #2733: Allowing ALL special characters does not work with reset password form
+    * #2742: convertConfig no error but nothing converted
+    * #2758: [CVE-2022-37186] Session destroyed on portal but still valid on handlers while there is activity
+    * #2760: Userinfo does not show updated attributs when using Offline sessions
+    * #2769: missing handler logs with default Nginx + LemonLDAP
+    * #2772: translation overrides from skin json files are not used when sending emails
+    * #2773: translation override from skin bypasses llng.ini
+    * #2785: Invalid <Organization> in SAML metadata can crash portal startup
+    * #2787: Status: Unknown command line during OIDC flow
+    * #2789: $portal->templateDir causes skin mix-up
+    * #2791: After token timeout during 2FA flow,  login form is left in broken state
+    * #2793: samlGotAuthnRequest cannot modify $login->request when signature validation is enabled
+
+  * New features:
+    * #2491: Use environment variables placeholder in lemonldap json configuration
+    * #2713: handle refresh tokens in Auth::OpenIDConnect
+    * #2737: remember previous authentication choice
+    * #2763: Install LL::NG on EL9
+
+  * Improvements:
+    * #2607: bypass OIDC logout confirmation
+    * #2674: Add HSTS as new security parameter in the Manager
+    * #2692: New API for CAPTCHA plugins
+    * #2719: importMetadata should handle conflicts between multiple federations
+    * #2720: importMetadata should be configurable
+    * #2723: Cannot specify custom urn:oasis:names:tc:SAML:2.0:assertion:AuthnContextClassRef values for LemonLDAP IdPs
+    * #2725: Add session data to oidcGenerateUserInfoResponse
+    * #2726: Add a session variable for used 2F module
+    * #2732: Add userLogger event when a specific 2FA is selected
+    * #2739: Provide a specific package to install LLNG FastCGI client
+    * #2745: portalEnablePasswordDisplay is not used in password change form
+    * #2746: SAML metadata without SingleLogoutService leads to error at logout
+    * #2753: Add IDP selection rules for CAS and OIDC
+    * #2755: OIDC : issue on token endpoint with method client_secret_basic
+    * #2756: Allow customization of portal JS code with jQuery events
+    * #2757: Allow admins to change the 2FA timeout
+    * #2759: Append a go-back-to-top button
+    * #2761: Append an option to customize Manager CSS
+    * #2762: Add re-send option to code-based OTPs
+    * #2768: Add new hooks on Access Token refresh
+    * #2775: Notification process can not be continued with JSON response
+    * #2780: New lemonldap-ng-cli subcommand: merge
+    * #2782: Notifications are not sorted by sessions explorer and epoch is  not converted into local date
+    * #2784: Allow history fields to be translated in templates
+
+  * Templates:
+    * #2690: Second factor logo/label not used on registration screen
+    * #2714: Session upgrade link in 2FA manager not working
+    * #2737: remember previous authentication choice
+    * #2745: portalEnablePasswordDisplay is not used in password change form
+    * #2750: Option to define the favicon
+    * #2759: Append a go-back-to-top button
+    * #2761: Append an option to customize Manager CSS
+
+ -- Clément <clem.oudot@gmail.com>  Fri, 09 Sep 2022 10:13:43 +0200
+
+lemonldap-ng (2.0.14) focal; urgency=medium
+
+  * Bugs:
+    * #2519: first authentication returns 500 code after inactivity period
+    * #2566: No configuration available in fresh LemonLDAP 2.0.12
+    * #2594: Double slashes in _pdata->{_url} when LLNG is OIDC RP
+    * #2595: Portal does not run correctly with portalRequireOldPassword=0
+    * #2596: [security:low] open redirect in CAS gateway mode
+    * #2597: External password reset URL is called with skin= and url= parameters
+    * #2600: RESTProxy authentication does not work with AuthChoice-enabled internal Portal
+    * #2603: Saving configuration drops OIDC scope rules
+    * #2606: FindUser plugin: SpoofId field is not updated if a value has been already set before the Ajax request
+    * #2612: [Security: low, CVE-2021-40874] RESTServer pwdConfirm always returns true with Combination + Kerberos
+    * #2613: ProxyAuth cookie name can not be modified
+    * #2616: Login is not remembered when password is incorrect
+    * #2618: DevOps handler does not work if RULES_URL uWSGI/FastCGI parameter is set
+    * #2620: Net::LDAP::Control::PasswordPolicy is not always loaded
+    * #2622: Fail oauth2 grants when resulting scope is empty
+    * #2626: Portal fatal errors cause "Conflict detected between 2 extensions, aborting 1 route" message to appear in logs
+    * #2632: Handler::Server::Nginx does not use logger config from lemonldap-ng.ini
+    * #2637: Error with default locationRules
+    * #2645: importMetadata does not set NameIDFormat to "persistent" for new providers
+    * #2648: "Authentication module succeed but has not set $req->user" when using SAML Artifact mode with some, but not all IDPs
+    * #2655: 'afterData' plugins loaded after Impersonation will be never executed
+    * #2656: CAS: multiple proxies is not correctly implemented
+    * #2658: Macros based on '_XXX' and authenticationLevel attributes are not computed by refresh function
+    * #2660: Combination is not compatible with LDAP password policies
+    * #2663: Radius authentication fails when radius used as authentication module
+    * #2671: xss attack detected on a relayState parameter
+    * #2675: Auth::Custom calls module init twice
+    * #2676: UserDB::Custom and Password::Custom loads module twice and calls init three times
+    * #2677: *::Custom do not allow config overrides
+    * #2678: Auth::Custom getDisplayType is broken with choice
+    * #2682: Fails to create password-protected X509 certificates with OpenSSL 3.0
+    * #2689: REST server: 400 bad request with DELETE /session/my
+    * #2691: Error when using has2f in a manager rule
+    * #2693: "Status: Unknown command line -> " log line for each SKIP and EXPIRED accesses
+    * #2703: OIDC RP menu attributes name do not refresh live
+
+  * New features:
+    * #1411: Web Authentication API (webauthn)
+    * #2325: "Warn on new network location" plugin
+    * #2679: CheckDevOps: Append an option to check if used attributes are existing
+    * #2686: Web service for application list
+
+  * Improvements:
+    * #1714: Check logLevel value
+    * #2277: pdata cookie is not removed if SAML flow fails
+    * #2457: Do not translate OIDC RP exported attributes
+    * #2476: $groups is not initialize  for  at least LDAP authentication
+    * #2508: Look configuration timestamp to dismiss cache
+    * #2558: Add a new portal error code for Auth::OIDC issues
+    * #2565: Adding per-request information in logs
+    * #2570: RGAA: Adding a role attribute into messages
+    * #2577: RGAA: placeholder only should not be used as label
+    * #2591: stayconnected plugin: allow to disable browser fingerprint check and update documentation
+    * #2593: Contextual / Adaptive authentication / Risk-based authentication
+    * #2599: Certificate reset templates are not translated
+    * #2601: RESTProxy authentication does not support Impersonation
+    * #2602: Export OIDC grant type in rules
+    * #2604: Append an option to normalize HTTP headers with CheckDevOps plugin
+    * #2605: llnglanguage cookie will be rejected if sameSite attribute is not set
+    * #2609: Better history management for plugins
+    * #2614: display precise error while sending direct SOAP SAML message
+    * #2617: SafeJail must be enabled with CheckDevOps plugin
+    * #2619: Brazilian translation
+    * #2621: SAML: HTTP-Artifact mode should be discouraged
+    * #2625: Add an option to encrypt TOTP secrets
+    * #2627: Append an option in Manager to be able to set RULES_URL param
+    * #2638: Redirect to 2fregisters is missing a slash
+    * #2644: No error displayed in logs in DevOps Handler when rules file can't be downloaded
+    * #2646: bruteForceProtectionMaxAge and bruteForceProtectionMaxLockTime missing from manager
+    * #2647: Display logins history with CheckUser plugin
+    * #2649: Portal plugins should not require an "init" method
+    * #2651: Hebrew Translation
+    * #2654: CAS temporary tickets should have a short expiration time
+    * #2657: Hidden attributes, custom functions and plugins declarations are inconsistent
+    * #2662: CheckUser plugin: Append a rule to allow some users to display hidden attributes
+    * #2664: impossible to use getModule in the Password modules
+    * #2667: Add RP confkey to oidcGenerateUserInfoResponse plugin hook
+    * #2668: CheckDevOps: prevent portal crash/loop if a bad rules.json file is provided
+    * #2672: DBI password hash list is too restrictive
+    * #2673: Allow to configure multiple service URL per CAS application
+    * #2679: CheckDevOps: Append an option to check if used attributes are existing
+    * #2683: Possibility to set an activation rule for "remember me" option
+    * #2685: DevOps handler uses default HTTPS redirection if no VH is defined
+    * #2694: Chrome warns about compromised data when using form replay
+    * #2698: Avoid useless warning messages in log
+
+  * Templates:
+    * #2325: "Warn on new network location" plugin
+    * #2570: RGAA: Adding a role attribute into messages
+    * #2577: RGAA: placeholder only should not be used as label
+    * #2597: External password reset URL is called with skin= and url= parameters
+
+ -- Clément <clem.oudot@gmail.com>  Sat, 19 Feb 2022 17:49:18 +0100
+
 lemonldap-ng (2.0.13) focal; urgency=medium
 
   * Bugs:

codemeta.json

@@ -0,0 +1,91 @@
+{
+    "@context": "https://doi.org/10.5063/schema/codemeta-2.0",
+    "@type": "SoftwareSourceCode",
+    "license": "https://spdx.org/licenses/GPL-2.0-or-later",
+    "codeRepository": "https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng",
+    "contIntegration": "https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/pipelines",
+    "dateCreated": "2004-01-01",
+    "datePublished": "2010-12-06",
+    "dateModified": "2022-09-15",
+    "downloadUrl": "https://lemonldap-ng.org/download.html",
+    "issueTracker": "https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues",
+    "name": "LemonLDAP::NG",
+    "version": "2.0.15.1",
+    "description": "LemonLDAP::NG is a complete and modular Web-SSO system that can run with reverse-proxies or directly on application webservers. It can be used in conjunction with OpenID-Connect, CAS and SAML systems as identity or service provider. It can also be used as proxy between those federation systems.\n\nIt manages both authentication and authorization and provides headers for accounting. So you can have a full AAA protection. Authorizations are built by associating a regular expression and a rule. Regular expression is applied on the requested URL and the rule calculates if the user is authorized.",
+    "applicationCategory": "WebSSO",
+    "developmentStatus": "active",
+    "keywords": [
+        "2FA",
+        "sso",
+        "ldap",
+        "authentication",
+        "authorization",
+        "cas",
+        "saml",
+        "openid connect",
+        "access management",
+        "security"
+    ],
+    "programmingLanguage": [
+        "Perl",
+        "Javascript"
+    ],
+    "operatingSystem": [
+        "Linux"
+    ],
+    "author": [
+        {
+            "@type": "Person",
+            "givenName": "Xavier",
+            "familyName": "Guimard",
+            "email": "yadd@debian.org"
+        },
+        {
+            "@type": "Person",
+            "givenName": "Clément",
+            "familyName": "Oudot",
+            "email": "clement@oodo.net"
+        },
+        {
+            "@type": "Person",
+            "@id": "https://orcid.org/0000-0001-5215-9046",
+            "givenName": "Christophe",
+            "familyName": "Maudoux",
+            "email": "christophe.maudoux@cnam.fr",
+            "affiliation": {
+                "@type": "Organization",
+                "name": "Cnam/Cedric - ROC Team"
+            }
+        },
+        {
+            "@type": "Person",
+            "givenName": "Maxime",
+            "familyName": "Besson",
+            "email": "maxime.besson@worteks.com"
+        }
+    ],
+    "contributor": [
+        {
+            "@type": "Person",
+            "givenName": "David",
+            "familyName": "Coutadeur"
+        },
+        {
+            "@type": "Person",
+            "givenName": "Alexandre",
+            "familyName": "Karim"
+        },
+        {
+            "@type": "Person",
+            "givenName": "Xavier",
+            "familyName": "Bachelot",
+            "email": "xavier@bachelot.org"
+        },
+        {
+            "@type": "Person",
+            "givenName": "Soisik",
+            "familyName": "Froger",
+            "email": "soisik.froger@worteks.com"
+        }
+    ]
+}

debian/changelog

@@ -1,3 +1,24 @@
+lemonldap-ng (2.0.15.1-1) unstable; urgency=medium
+
+  * New release. See changes on our website:
+    https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng
+
+ -- Clement OUDOT <clement@oodo.net>  Thu, 15 Sep 2022 22:00:00 +0100
+
+lemonldap-ng (2.0.15-1) unstable; urgency=medium
+
+  * New release. See changes on our website:
+    https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng
+
+ -- Clement OUDOT <clement@oodo.net>  Fri, 09 Sep 2022 22:00:00 +0100
+
+lemonldap-ng (2.0.14-1) unstable; urgency=medium
+
+  * New release. See changes on our website:
+    https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng
+
+ -- Clement OUDOT <clement@oodo.net>  Sat, 19 Feb 2022 22:00:00 +0100
+
 lemonldap-ng (2.0.13-1) unstable; urgency=medium
 
   * New release. See changes on our website:

debian/control

@@ -5,7 +5,7 @@ Section: perl
 Priority: optional
 Build-Depends: debhelper (>= 10),
                po-debconf
-Build-Depends-Indep: gsfonts <!nocheck>,
+Build-Depends-Indep: fonts-urw-base35 <!nocheck> | gsfonts <!nocheck>,
                      libapache-session-perl <!nocheck>,
                      libauth-yubikey-webclient-perl <!nocheck>,
                      libauthen-oath-perl <!nocheck>,
@@ -19,6 +19,8 @@ Build-Depends-Indep: gsfonts <!nocheck>,
                      libcrypt-openssl-x509-perl <!nocheck>,
                      libcrypt-urandom-perl <!nocheck>,
                      libcrypt-rijndael-perl <!nocheck>,
+                     libcrypt-u2f-server-perl <!nocheck>,
+                     libdatetime-format-rfc3339-perl <!nocheck>,
                      libdbd-sqlite3-perl <!nocheck>,
                      libdbi-perl <!nocheck>,
                      libdigest-hmac-perl <!nocheck>,
@@ -26,15 +28,18 @@ Build-Depends-Indep: gsfonts <!nocheck>,
                      libgd-securityimage-perl <!nocheck>,
                      libglib-perl <!nocheck>,
                      libgssapi-perl <!nocheck>,
+                     libhash-merge-simple-perl <!nocheck>,
                      libhtml-template-perl <!nocheck>,
                      libimage-magick-perl <!nocheck>,
                      libio-string-perl <!nocheck>,
                      libipc-run-perl <!nocheck>,
+                     liblist-moreutils-perl <!nocheck>,
                      libjson-perl <!nocheck>,
                      libjson-xs-perl <!nocheck>,
                      liblasso-perl <!nocheck>,
                      libmime-tools-perl <!nocheck>,
                      libmouse-perl <!nocheck>,
+                     libclass-xsaccessor-perl <!nocheck>,
                      libnet-cidr-lite-perl <!nocheck>,
                      libnet-ldap-perl <!nocheck>,
                      libio-socket-timeout-perl <!nocheck>,
@@ -46,12 +51,13 @@ Build-Depends-Indep: gsfonts <!nocheck>,
                      libsoap-lite-perl <!nocheck>,
                      libstring-random-perl <!nocheck>,
                      libtest-mockobject-perl <!nocheck>,
-                     libtest-pod-perl <!nocheck>,
                      libtest-output-perl <!nocheck>,
+                     libtest-pod-perl <!nocheck>,
                      libtext-unidecode-perl <!nocheck>,
                      libtime-fake-perl <!nocheck>,
                      libunicode-string-perl <!nocheck>,
                      liburi-perl <!nocheck>,
+                     libhttp-message-perl <!nocheck>,
                      libwww-perl <!nocheck>,
                      libxml-libxml-perl <!nocheck>,
                      libxml-libxslt-perl <!nocheck>,
@@ -60,7 +66,7 @@ Build-Depends-Indep: gsfonts <!nocheck>,
                      python3-sphinx,
                      python3-sphinx-bootstrap-theme,
                      perl
-Standards-Version: 4.6.0
+Standards-Version: 4.6.1
 Vcs-Browser: https://salsa.debian.org/perl-team/modules/packages/lemonldap-ng
 Vcs-Git: https://salsa.debian.org/perl-team/modules/packages/lemonldap-ng.git
 Homepage: https://lemonldap-ng.org/
@@ -94,6 +100,7 @@ Architecture: all
 Section: doc
 Depends: ${misc:Depends}
 Pre-Depends: ${misc:Pre-Depends}
+Multi-Arch: foreign
 Description: Lemonldap::NG Web-SSO system documentation
  Lemonldap::NG is a complete Web-SSO system that can run with reverse-proxies
  or directly on application webservers. It can be used in conjunction with
@@ -110,7 +117,6 @@ Description: Lemonldap::NG Web-SSO system documentation
 Package: lemonldap-ng-fastcgi-server
 Architecture: all
 Section: web
-Pre-Depends: ${misc:Pre-Depends}
 Depends: ${misc:Depends},
          ${perl:Depends},
          lsb-base,
@@ -120,6 +126,7 @@ Depends: ${misc:Depends},
          libplack-perl
 Recommends: libhttp-parser-xs-perl,
             nginx-extras | nginx
+Pre-Depends: ${misc:Pre-Depends}
 Description: Lemonldap::NG FastCGI server
  Lemonldap::NG is a complete Web-SSO system that can run with reverse-proxies
  or directly on application webservers. It can be used in conjunction with
@@ -134,11 +141,22 @@ Description: Lemonldap::NG FastCGI server
  Lemonldap::NG FastCGI server provides a Nginx auth_request server that handles
  also LLNG Portal and Manager.
 
+Package: liblemonldap-ng-ssoaas-apache-client-perl
+Architecture: all
+Section: web
+Depends: ${misc:Depends},
+         ${perl:Depends}
+Breaks: liblemonldap-ng-handler-perl (<< 2.0.14~)
+Multi-Arch: foreign
+Description: Lemonldap::NG SSOaaS client for Apache
+ Lemonldap::NG is a complete Web-SSO system that provides a SSO-as-a-Service
+ system, natively usable with Nginx. Lemonldap::NG::SSOaaS::Apache::Client
+ permits one to enroll an Apache server into Lemonldap::NG's SSOaaS service.
+
 Package: lemonldap-ng-uwsgi-app
 Architecture: all
 Section: web
 Depends: ${misc:Depends},
-         ${perl:Depends},
          liblemonldap-ng-handler-perl (= ${binary:Version})
 Recommends: libhttp-parser-xs-perl,
             uwsgi-plugin-psgi
@@ -204,6 +222,7 @@ Architecture: all
 Depends: ${misc:Depends},
          ${perl:Depends},
          debconf,
+         perl-doc,
          libapache-session-perl,
          libcache-cache-perl,
          libconfig-inifiles-perl,
@@ -215,6 +234,7 @@ Depends: ${misc:Depends},
          libjson-perl,
          libjson-xs-perl,
          libmouse-perl,
+         libclass-xsaccessor-perl,
          libplack-perl,
          liburi-perl,
          libwww-perl
@@ -230,7 +250,6 @@ Suggests: libconvert-base32-perl,
           libsoap-lite-perl,
           libxml-libxml-perl,
           libxml-simple-perl
-Conflicts: liblemonldap-ng-cli-perl
 Description: Lemonldap::NG common files
  Lemonldap::NG is a complete Web-SSO system that can run with reverse-proxies
  or directly on application webservers. It can be used in conjunction with
@@ -254,6 +273,7 @@ Depends: ${misc:Depends},
          libcrypt-openssl-rsa-perl,
          libemail-date-format-perl,
          liblemonldap-ng-handler-perl (= ${binary:Version}),
+         libhash-merge-simple-perl,
          lemonldap-ng-fastcgi-server (= ${binary:Version}) | lemonldap-ng-uwsgi-app (= ${binary:Version}) | apache2 | httpd-cgi
 Recommends: lemonldap-ng-doc (= ${binary:Version}),
             libxml-libxml-perl,
@@ -286,7 +306,8 @@ Depends: ${misc:Depends},
          libregexp-assemble-perl,
          liblist-moreutils-perl,
          libemail-date-format-perl
-Recommends: gsfonts,
+Recommends: fonts-urw-base35 | gsfonts,
+            libauthen-webauthn-perl,
             libcrypt-openssl-bignum-perl,
             libconvert-base32-perl,
             libio-string-perl,
@@ -297,19 +318,19 @@ Recommends: gsfonts,
             libio-socket-timeout-perl,
             libunicode-string-perl
 Suggests: gpg,
+          libauthen-radius-perl,
           libcrypt-u2f-server-perl,
           libdbi-perl,
           libglib-perl,
           libgssapi-perl,
           libimage-magick-perl,
           liblasso-perl,
-          libnet-facebook-oauth2-perl (>= 0.10),
+          libnet-facebook-oauth2-perl,
           libnet-openid-consumer-perl,
           libnet-openid-server-perl,
           libnet-oauth-perl,
           libsoap-lite-perl,
           libweb-id-perl,
-          libauthen-radius-perl,
           slapd
 Pre-Depends: debconf
 Description: Lemonldap::NG authentication portal part
@@ -326,5 +347,5 @@ Description: Lemonldap::NG authentication portal part
  Lemonldap::NG::Portal provides the authentication portal.
  .
  You may have to install some suggested packages depending on plugins you
- enabled. For example, libgd-securityimage-perl and gsfonts are needed if you
- want to use Captcha, libcrypt-u2f-server-perl for U2F features,...
+ enabled. For example, libgd-securityimage-perl and fonts-urw-base35 are needed
+ if you want to use Captcha, libcrypt-u2f-server-perl for U2F features,...

debian/copyright

@@ -4,22 +4,22 @@ Upstream-Contact: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues
 Source: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/tags?sort=updated_desc
 
 Files: *
-Copyright: 2005-2020, Xavier Guimard <yadd@debian.org>
- 2006-2020, Clement Oudot <clem.oudot@gmail.com>
+Copyright: 2005-2022, Xavier Guimard <yadd@debian.org>
+ 2006-2022, Clement Oudot <clem.oudot@gmail.com>
+ 2018-2022, Christophe Maudoux <chrmdx@gmail.com>
+ 2019-2022, Maxime Besson <maxime.besson@worteks.com>
  2008, Mikael Ates <mikael.ates@univ-st-etienne.fr>
  2008-2011, Thomas Chemineau <thomas.chemineau@gmail.com>
  2012-2013, Sandro Cazzaniga <cazzaniga.sandro@gmail.com>
  2012-2015, François-Xavier Deltombe <fxdeltombe@gmail.com>
- 2012-2019, David Coutadeur <david.coutadeur@gmail.com>
- 2018-2020, Christophe Maudoux <chrmdx@gmail.com>
- 2019-2020, Maxime Besson <maxime.besson@worteks.com>
+ 2012-2021, David Coutadeur <david.coutadeur@gmail.com>
  2019, Soisik Frogier <soisik.froger@worteks.com>
  2019, Mame Dieynaba Sene <msene@linagora.com>
- 2019, Antoine Rosier <lemonldap@mon-refuge.fr>
- 2005-2020, Gendarmerie nationale <https://www.gendarmerie.interieur.gouv.fr>
+ 2019-2021, Antoine Rosier <lemonldap@mon-refuge.fr>
+ 2005-2022, Gendarmerie nationale <https://www.gendarmerie.interieur.gouv.fr>
  2006-2019, LINAGORA <info@linagora.com>
  2015-2018, Savoir-faire Linux <contact@savoirfairelinux.com>
- 2018-2020, Worteks <info@worteks.com>
+ 2018-2022, Worteks <info@worteks.com>
 License: GPL-2+
 
 Files: lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/PAM.pm
@@ -33,17 +33,23 @@ Copyright: 2011, Tatsuhiko Miyagawa <miyagawa@bulknews.net>
 License: Artistic or GPL-1+
 
 Files: *.js
-Copyright: 2005-2019, Xavier Guimard <yadd@debian.org>
- 2006-2019, Clement Oudot <clem.oudot@gmail.com>
+Copyright: 2005-2022, Xavier Guimard <yadd@debian.org>
+ 2006-2022, Clement Oudot <clem.oudot@gmail.com>
  2008-2012, Thomas Chemineau <thomas.chemineau@gmail.com>
- 2018-2019, Christophe Maudoux <chrmdx@gmail.com>
+ 2018-2022, Christophe Maudoux <chrmdx@gmail.com>
+ 2019-2022, Maxime Besson <maxime.besson@worteks.com>
 License: GPL-2+
 
+Files: lemonldap-ng-portal/site/htdocs/static/bootstrap/webauthn.png
+Copyright: James Cullum <https://github.com/JamesCullum>
+License: WebAuthnLogoLicense
+
 Files: lemonldap-ng-portal/site/htdocs/static/common/js/portal.js
-Copyright: 2005-2019, Xavier Guimard <yadd@debian.org>
- 2006-2019, Clement Oudot <clem.oudot@gmail.com>
+Copyright: 2005-2022, Xavier Guimard <yadd@debian.org>
+ 2006-2022, Clement Oudot <clem.oudot@gmail.com>
  2008-2012, Thomas Chemineau <thomas.chemineau@gmail.com>
- 2018-2019, Christophe Maudoux <chrmdx@gmail.com>
+ 2018-2022, Christophe Maudoux <chrmdx@gmail.com>
+ 2019-2022, Maxime Besson <maxime.besson@worteks.com>
 License: GPL-2+
 Comment: a little part of it comes from JQuery-UI examples
  (https://snipplr.com/view/29434/)
@@ -1271,3 +1277,26 @@ License: BSD-3-clause
  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
  OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
  ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+License: WebAuthnLogoLicense
+ How to Use These Logos
+ .
+ Do these awesome things:
+ .
+  * Use the WebAuthn logo to link to WebAuthn specs or webauthn.org
+  * Use the WebAuthn logo to show that your product or project has built-in WebAuthn integration
+  * Use the WebAuthn logo in a blog post or news article about WebAuthn
+ .
+ Please don't do these things:
+ .
+  x Use the WebAuthn logo for your application’s icon
+  x Create a modified version of the WebAuthn logo
+  x Integrate the WebAuthn logo into your logo
+  x Use any WebAuthn artwork without permission
+  x Sell any WebAuthn artwork without permission
+  x Change the colors, dimensions or add your own text/images
+ .
+ Please contact me
+ .
+  * If you want to use artwork not included in this repository
+  * If you want to use these images in a video/mainstream media

debian/lemonldap-ng.README.Debian

@@ -14,7 +14,7 @@ with a quick sed command. For example, we change it to ow2.org:
 
 2.1 - Apache
 
-Enable the components you've installed:
+Enable installed components:
 
   # Portal
   a2ensite portal-apache2.conf
@@ -37,7 +37,7 @@ Then restart Apache:
 
 2.2 - Nginx
 
-Enable the components you've installed:
+Enable installed components:
 
   cd /etc/nginx/sites-enabled
 
@@ -57,16 +57,16 @@ Enable the components you've installed:
   # Test site
   ln -s ../site-available/test-nginx.conf
 
-Customize then, then reload nginx
+Customize them, then reload nginx
 
-  service nginx reload
+  nginx -s reload
 
 3 - Check your DNS
 ------------------
 
-Be sure that your browser can join (adapt it with your domain):
-- auth.example.com   : the authentication portal
-- manager.example.com: the configuration interface
+Be sure that your browser can reach (adapt it with your domain):
+- auth.example.com    : Authentication portal
+- manager.example.com : Configuration interface
 
 4 - Connect to the manager
 --------------------------
@@ -88,9 +88,9 @@ following accounts:
 6 - Base configuration file
 ---------------------------
 
-The configuration is managed by the manager with the exception of some basic
-parameters such as the storage type configuration. These parameters are defined
-in the file /etc/lemonldap-ng/lemonldap-ng.ini.
+Configuration is managed by the Manager except some basic parameters
+such as storage type configuration. These parameters are defined
+in /etc/lemonldap-ng/lemonldap-ng.ini file.
 
 This file can also be used to override the global configuration locally
 

debian/liblemonldap-ng-common-perl.install

@@ -2,6 +2,7 @@ etc/lemonldap-ng/lemonldap-ng.ini
 etc/lemonldap-ng/for_etc_hosts
 usr/share/man/man1/convertConfig.1p
 usr/share/man/man1/convertSessions.1p
+usr/share/man/man1/encryptTotpSecrets.1p
 usr/share/man/man1/importMetadata.1p
 usr/share/man/man1/lemonldap-ng-cli.1p
 usr/share/man/man1/lemonldap-ng-sessions.1p
@@ -11,6 +12,7 @@ usr/share/perl5/Lemonldap/NG/Common*
 usr/share/lemonldap-ng/ressources
 usr/share/lemonldap-ng/bin/convertConfig
 usr/share/lemonldap-ng/bin/convertSessions
+usr/share/lemonldap-ng/bin/encryptTotpSecrets
 usr/share/lemonldap-ng/bin/importMetadata
 usr/share/lemonldap-ng/bin/lemonldap-ng-sessions
 usr/share/lemonldap-ng/bin/lmMigrateConfFiles2ini

debian/liblemonldap-ng-ssoaas-apache-client-perl.install

@@ -0,0 +1,2 @@
+usr/share/perl5/Lemonldap/NG/SSOaaS/Apache
+usr/share/man/man3/Lemonldap::NG::SSOaaS::Apache*

debian/rules

@@ -31,6 +31,7 @@ override_dh_auto_build:
 
 override_dh_auto_install:
 	$(MAKE) install \
+			CHOWN=true \
 			DESTDIR=$(CURDIR)/debian/tmp \
 			PREFIX=/usr \
 			LMPREFIX=/usr/share/lemonldap-ng \

doc/pages/manager-api/index.html

@@ -764,7 +764,7 @@
   "type" : "object",
   "properties" : {
     "service" : {
-      "type" : "string"
+      "type" : "array"
     },
     "userAttribute" : {
       "type" : "string",
@@ -880,6 +880,9 @@
       "type" : "string",
       "format" : "url"
     },
+    "logoutBypassConfirm" : {
+      "type" : "boolean"
+    },
     "clientSecret" : {
       "type" : "string",
       "format" : "password"
@@ -1269,7 +1272,7 @@
     "type" : {
       "type" : "string",
       "description" : "The type of token in use",
-      "example" : "TOTP, U2F, UBK (Yubikey)"
+      "example" : "TOTP, U2F, UBK (Yubikey), WebAuthn"
     },
     "name" : {
       "type" : "string",

doc/sources/admin/adaptativeauthenticationlevel.rst

@@ -4,7 +4,7 @@ Adaptative Authentication Level
 Presentation
 ------------
 
-A user obtain an authentication level depending on which authentication
+A user reaches an authentication level depending on which authentication
 module was used, and eventually which second factor module.
 
 This plugin allows to adapt this authentication level depending on
@@ -23,7 +23,7 @@ they would then not be forced to use 2FA to access the strategic application.
 Configuration
 -------------
 
-This plugin is enabled when at least one rule is defind.
+This plugin is enabled when at least one rule is defined.
 
 To configure rules, go in ``General Parameters`` > ``Plugins`` >
 ``Adapative Authentication Level``.
@@ -39,7 +39,7 @@ You can then create rules with these fields:
 
 .. tip::
 
-    By example, to add 3 to authentication level for users from 192.168.0.0/24 network:
+    By example, to add 3 to authentication level for users from 192.168.0.0/16 network:
     
     - Rule: ``$env->{REMOTE_ADDR} =~ /^192\.168\./``
     - Value: ``+3``

doc/sources/admin/applications.rst

@@ -10,6 +10,7 @@ Applications
    applications/awx
    applications/bugzilla
    applications/bigbluebutton
+   applications/confluence
    applications/cornerstone
    applications/discourse
    applications/django
@@ -26,9 +27,11 @@ Applications
    applications/guacamole
    applications/humhub
    applications/iparapheur
+   applications/itsm-ng
    applications/jitsimeet
    applications/liferay
    applications/limesurvey
+   applications/mailman
    applications/matrix
    applications/mattermost
    applications/mediawiki
@@ -37,6 +40,7 @@ Applications
    applications/obm
    applications/odoo
    applications/office365
+   applications/opencti
    applications/publik
    applications/phpldapadmin
    applications/redmine
@@ -94,6 +98,7 @@ Application                                                       Configuration
 .. image:: applications/logo-awx.png                              :doc:`AWX (Ansible Tower)<applications/awx>`                                           ✔
 .. image:: applications/bigbluebutton-logo.png                    :doc:`BigBlueButton<applications/bigbluebutton>`                                            ✔
 .. image:: applications/bugzilla_logo.png                         :doc:`Bugzilla<applications/bugzilla>`               ✔
+.. image:: applications/confluence.png                            :doc:`Confluence<applications/confluence>`                                             ✔    ✔
 .. image:: applications/csod_logo.png                             :doc:`Cornerstone<applications/cornerstone>`                                           ✔
 .. image:: applications/discourse.jpg                             :doc:`Discourse<applications/discourse>`                                               ✔    ✔
 .. image:: applications/django_logo.png                           :doc:`Django<applications/django>`                   ✔
@@ -110,9 +115,11 @@ Application                                                       Configuration
 .. image:: applications/guacamole.png                             :doc:`Apache Guacamole<applications/guacamole>`      ✔                             ✔        ✔
 .. image:: applications/humhub_logo.png                           :doc:`HumHub<applications/humhub>`                                                          ✔
 .. image:: applications/iparapheur_logo.png                       :doc:`i-Parapheur<applications/iparapheur>`          ✔
+.. image:: applications/itsm-ng.png                               :doc:`ITSM-NG<applications/itsm-ng>`                 ✔                                      ✔
 .. image:: applications/logo-jitsimeet.png                        :doc:`Jitsi Meet<applications/jitsimeet>`            ✔
 .. image:: applications/liferay_logo.png                          :doc:`Liferay<applications/liferay>`                 ✔
 .. image:: applications/limesurvey_logo.png                       :doc:`LimeSurvey<applications/limesurvey>`           ✔
+.. image:: applications/mailman.jpg                               :doc:`Mailman<applications/mailman>`                                                        ✔
 .. image:: applications/matrix_logo.png                           :doc:`Matrix<applications/matrix>`                                                          ✔
 .. image:: applications/mattermost_logo.png                       :doc:`Mattermost<applications/mattermost>`                                                  ✔
 .. image:: applications/mediawiki_logo.png                        :doc:`Mediawiki<applications/mediawiki>`             ✔
@@ -121,6 +128,7 @@ Application                                                       Configuration
 .. image:: applications/obm_logo.png                              :doc:`OBM<applications/obm>`                         ✔
 .. image:: applications/odoo_logo.png                             :doc:`Odoo<applications/odoo>`                                                         ✔
 .. image:: applications/logo_office_365.png                       :doc:`Office 365<applications/office365>`                                              ✔
+.. image:: applications/opencti.png                               :doc:`OpenCTI<applications/opencti>`                                                   ✔    ✔
 .. image:: applications/logo-publik.png                           :doc:`Publik<applications/publik>`                                                          ✔
 .. image:: applications/phpldapadmin_logo.png                     :doc:`phpLDAPAdmin<applications/phpldapadmin>`       ✔
 .. image:: applications/redmine_logo.png                          :doc:`Redmine<applications/redmine>`                                                        ✔
@@ -130,7 +138,7 @@ Application                                                       Configuration
 .. image:: applications/simplesamlphp_logo.png                    :doc:`simpleSAMLphp<applications/simplesamlphp>`                                       ✔
 .. image:: applications/spring_logo.png                           :doc:`Spring<applications/spring>`                   ✔
 .. image:: applications/symfony_logo.png                          :doc:`Symfony<applications/symfony>`                 ✔
-.. image:: applications/sympa_logo.png                            :doc:`Sympa<applications/sympa>`                     ✔
+.. image:: applications/sympa_logo.png                            :doc:`Sympa<applications/sympa>`                     ✔                             ✔
 .. image:: applications/tomcat_logo.png                           :doc:`Tomcat<applications/tomcat>`                   ✔
 .. image:: applications/wekan-logo.png                            :doc:`Wekan<applications/wekan>`                                           ✔
 .. image:: applications/wiki.js.svg                               :doc:`Wiki.js<applications/wikijs>`                                           ✔

doc/sources/admin/applications/awx.rst

@@ -14,7 +14,7 @@ using SAML 2.0 protocol.
 
 You can find the Official AWX documentation about this topic here :
 https://docs.ansible.com/ansible-tower/latest/html/administration/ent_auth.html#saml-authentication-settings
-Please read it before the LLNG doc.
+Please read it before the LL::NG doc.
 
 Configuration
 -------------
@@ -34,8 +34,8 @@ saml in AWX, you can do it with your pki or with openssl on your machine
 
    openssl req -x509 -newkey rsa:4096 -keyout saml-awx.key -out saml-awx.crt -days 3650 -nodes
 
-LLNG SAML Certificate
-~~~~~~~~~~~~~~~~~~~~~
+LL::NG SAML Certificate
+~~~~~~~~~~~~~~~~~~~~~~~
 
 AWX need a certificate for the IDP signature, a public key won't work.
 You can either just generate a certificate from the private key and put
@@ -55,7 +55,7 @@ certificate with this command :
    openssl req -new -x509 -days 3650 -key lemonldap.key > lemonldap.crt
 
 After that, if you want, you can replace your SAML public key with this
-certificate in LLNG configuration, this is not mandatory.
+certificate in LL::NG configuration, this is not mandatory.
 
 AWX
 ~~~
@@ -153,7 +153,7 @@ This is the configuration of the IdP :
 
 -  "attr_last_name": "sn" SAML Attribute for the user last name
 -  "x509cert": "SOXGp....." the content of ``lemonldap.crt`` generated
-   in the "LLNG SAML Certificate" section
+   in the "LL::NG SAML Certificate" section
 -  "attr_username": "uid" SAML Attribute for the user username
 -  "entity_id": "https://auth.example.com/saml/metadata" entityID of the
    IdP
@@ -184,7 +184,7 @@ Go to "SAML service providers", click on "Add SAML SP" and name it as
 you want (example : 'AWX')
 
 In the new subtree 'AWX', open 'Metadata' and paste the content of the
-AWX Metadatas, wich can be found at the
+AWX Metadata, wich can be found at the
 ``SAML Service Provider Metadata URL`` in AWX :
 https://awx.example.com/sso/metadata/saml/
 

doc/sources/admin/applications/bugzilla.rst

@@ -64,12 +64,12 @@ Configure Bugzilla virtual host like other
        internal;
        include /etc/nginx/fastcgi_params;
        fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
-       # Drop post datas
+       # Drop post data
        fastcgi_pass_request_body  off;
        fastcgi_param CONTENT_LENGTH "";
        # Keep original hostname
        fastcgi_param HOST $http_host;
-       # Keep original request (LLNG server will received /llauth)
+       # Keep original request (LL::NG server will receive /lmauth)
        fastcgi_param X_ORIGINAL_URI  $original_uri;
      }
 

doc/sources/admin/applications/confluence.rst

@@ -0,0 +1,65 @@
+Confluence
+==========
+
+Presentation
+------------
+
+Confluence is a web-based corporate wiki developed by Atlassian.
+
+It is compatible with SAML and OpenID Connect. This tutorial will focus on SAML.
+
+Configuration
+-------------
+
+You must first configure LemonLDAP::NG as a :doc:`SAML Identity Provider<../idpsaml>`.
+
+Configure SAML in Confluence
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+In the SSO configuration page, choose SAML as the authentication method. And set the following parameters.
+
+Don't forget to replace ``auth.example.com`` with your actual domain.
+
+* Single sign on issuer: ``https://auth.example.com/saml/metadata``
+* Identity provider single sign on URL: ``https://auth.example.com/saml/singleSignOn``
+* X.509 certificate: You can find this certificate in the manager: SAML2 Service » Security » Signature » Public key
+* Username mapping attribute: ``${uid}``
+
+.. danger:: Make sure the certificate you copy into Confluence starts with BEGIN CERTIFICATE and not with BEGIN PRIVATE KEY
+
+Write down the *Assertion Consumer Service URL* and the *Audience URL*, that Confluence is showing you, you will need it to configure LemonLDAP::NG
+
+Configure LemonLDAP::NG
+~~~~~~~~~~~~~~~~~~~~~~~
+
+In the LemonLDAP::NG Manager, create a new *SAML Service Provider*
+
+In *Metadata*, copy the following XML document, and don't forget to change ``AUDIENCE_URL`` and ``CONSUMER_SERVICE_URL`` the URLs with the values given by Confluence.
+
+::
+
+	<?xml version="1.0"?>
+	<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+		entityID="AUDIENCE_URL">
+	  <md:SPSSODescriptor
+		AuthnRequestsSigned="false"
+		WantAssertionsSigned="false"
+		protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+		  <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
+		  <md:AssertionConsumerService
+			Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+			Location="CONSUMER_SERVICE_URL"
+			index="1"/>
+	  </md:SPSSODescriptor>
+	</md:EntityDescriptor>
+
+In *Exported Attributes*, add a new attribute:
+
+* Variable name: the session variable containing user logins
+* Attribute name: ``uid``
+* Mandatory: ``On``
+
+Finally, in *Options* » *Signature*, set
+
+* Check SSO message signature: Off
+* Check SLO message signature: Off

doc/sources/admin/applications/dokuwiki.rst

@@ -69,12 +69,12 @@ Configure Dokuwiki virtual host like other
        internal;
        include /etc/nginx/fastcgi_params;
        fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
-       # Drop post datas
+       # Drop post data
        fastcgi_pass_request_body  off;
        fastcgi_param CONTENT_LENGTH "";
        # Keep original hostname
        fastcgi_param HOST $http_host;
-       # Keep original request (LLNG server will received /llauth)
+       # Keep original request (LL::NG server will receive /lmauth)
        fastcgi_param X_ORIGINAL_URI  $original_uri;
      }
 

doc/sources/admin/applications/drupal.rst

@@ -66,12 +66,12 @@ Configure Drupal virtual host like other
        internal;
        include /etc/nginx/fastcgi_params;
        fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
-       # Drop post datas
+       # Drop post data
        fastcgi_pass_request_body  off;
        fastcgi_param CONTENT_LENGTH "";
        # Keep original hostname
        fastcgi_param HOST $http_host;
-       # Keep original request (LLNG server will received /llauth)
+       # Keep original request (LL::NG server will receive /lmauth)
        fastcgi_param X_ORIGINAL_URI  $original_uri;
      }
 

doc/sources/admin/applications/humhub.rst

@@ -192,7 +192,7 @@ Configuration sample using CLI:
            oidcRPMetaDataOptions/humhub oidcRPMetaDataOptionsIDTokenSignAlg RS512 \
            oidcRPMetaDataOptions/humhub oidcRPMetaDataOptionsIDTokenExpiration 3600 \
            oidcRPMetaDataOptions/humhub oidcRPMetaDataOptionsAccessTokenExpiration 3600 \
-           oidcRPMetaDataOptions/humhub oidcRPMetaDataOptionsBypassConsent 1 && \
+           oidcRPMetaDataOptions/humhub oidcRPMetaDataOptionsBypassConsent 1
 
 Migrate former local or ldap Humhub account to connect through SSO
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

doc/sources/admin/applications/itsm-ng.rst

@@ -0,0 +1,64 @@
+ITSM NG
+=======
+
+|image0|
+
+Presentation
+------------
+
+`ITSM-NG <https://www.itsm-ng.org/>`__ is a fork of GLPI. The software's main features are: assets management, IT inventory, service desk, dashboards, KB...
+
+ITSM-NG is compatible with OpenID Connect protocol.
+
+OpenID Connect
+--------------
+
+Configuring ITSM-NG
+^^^^^^^^^^^^^^^^^^^
+
+The configuration steps are described on `ITSM-NG wiki <https://wiki.itsm-ng.org/oidc/>`__.
+
+Just set LemonLDAP::NG main portail URL in ``Provider`` field, and define ``Client ID`` and ``Client Secret``.
+
+Configuring LemonLDAP::NG
+^^^^^^^^^^^^^^^^^^^^^^^^^
+
+If not done yet, configure LemonLDAP::NG as an
+:doc:`OpenID Connect service<..//openidconnectservice>`.
+
+Then add ITSM-NG as a :doc:`new OpenID Connect Relying Party<..//idpopenidconnect>`
+using the following parameters:
+
+* **Client ID**: the same you set in ITSM-NG configuration
+* **Client Secret**: the same you set in ITSM-NG configuration
+* Add the following **exported attributes**:
+   * **given_name**: user's givenName attribute
+   * **family_name**: user's sn attribute
+   * **email**: user's mail attribute
+* **Login and Logout Redirect URIs**: The main URL of ITSM-NG instance
+
+Configuration sample using CLI:
+
+::
+
+     $ /usr/libexec/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
+         addKey \
+           oidcRPMetaDataExportedVars/itsmng given_name givenName \
+           oidcRPMetaDataExportedVars/itsmng family_name sn \
+           oidcRPMetaDataExportedVars/itsmng email mail \
+           oidcRPMetaDataOptions/itsmng oidcRPMetaDataOptionsClientID myClientId \
+           oidcRPMetaDataOptions/itsmng oidcRPMetaDataOptionsClientSecret myClientSecret \
+           oidcRPMetaDataOptions/itsmng oidcRPMetaDataOptionsRedirectUris 'https://itsmng.example.com'  \
+           oidcRPMetaDataOptions/itsmng oidcRPMetaDataOptionsPostLogoutRedirectUris 'https://itsmng.example.com' \
+           oidcRPMetaDataOptions/itsmng oidcRPMetaDataOptionsIDTokenSignAlg RS512 \
+           oidcRPMetaDataOptions/itsmng oidcRPMetaDataOptionsIDTokenExpiration 3600 \
+           oidcRPMetaDataOptions/itsmng oidcRPMetaDataOptionsAccessTokenExpiration 3600 \
+           oidcRPMetaDataOptions/itsmng oidcRPMetaDataOptionsBypassConsent 1
+
+.. tip::
+
+   Declare all attributes that you need to map in ITSM-NG configuration. These attributes must be returned by the scopes requested by ITSM-NG.
+
+.. |image0| image:: /applications/itsm-ng.png
+   :class: align-center
+

doc/sources/admin/applications/jitsimeet.rst

@@ -17,8 +17,7 @@ conference rooms.
 The official documentation provides instructions on `how to configure
 Jitsi Meet to use
 Shibboleth <https://github.com/jitsi/jicofo/blob/master/doc/shibboleth.md>`__,
-but with a little adaptation, it can work just as fine with
-LemonLDAP::NG.
+but with a little adaptation, it can work just as fine with LemonLDAP::NG.
 
 Configuration
 -------------
@@ -60,7 +59,7 @@ configuration file:
 ::
 
 
-   # This block lets Nginx know how to contact the local LLNG handler
+   # This block lets Nginx know how to contact the local LL::NG handler
    # for authentication
    location = /lmauth {
       internal;
@@ -76,7 +75,7 @@ configuration file:
    # You may want to change this is your goal is to make the whole Jitsi Meet instance private
    location /login/ {
 
-       # Protect the current path with LLNG
+       # Protect the current path with LL::NG
        auth_request /lmauth;
        set $original_uri $uri$is_args$args;
        auth_request_set $lmremote_user $upstream_http_lm_remote_user;

doc/sources/admin/applications/liferay.rst

@@ -124,12 +124,12 @@ Configure Liferay virtual host like other
        internal;
        include /etc/nginx/fastcgi_params;
        fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
-       # Drop post datas
+       # Drop post data
        fastcgi_pass_request_body  off;
        fastcgi_param CONTENT_LENGTH "";
        # Keep original hostname
        fastcgi_param HOST $http_host;
-       # Keep original request (LLNG server will received /llauth)
+       # Keep original request (LL::NG server will receive /lmauth)
        fastcgi_param X_ORIGINAL_URI  $original_uri;
      }
 

doc/sources/admin/applications/mailman.rst

@@ -0,0 +1,67 @@
+GNU Mailman
+===========
+
+.. image:: /applications/mailman.jpg
+   :class: align-center
+
+
+Presentation
+------------
+
+`Mailman <http://www.list.org/>`__ is free software for managing electronic mail discussion and e-newsletter lists. Mailman is integrated with the web, making it easy for users to manage their accounts and for list owners to administer their lists. Mailman supports built-in archiving, automatic bounce processing, content filtering, digest delivery, spam filters, and more.
+
+Mailman uses `django-allauth <https://www.intenct.nl/projects/django-allauth/>`__ for external authentication. And as of version 0.49, *django-allauth* is `compatible with LemonLDAP::NG <https://django-allauth.readthedocs.io/en/latest/providers.html#lemonldap-ng>`__
+
+First, make sure you have set up LemonLDAP::NG 's
+:doc:`OpenID Connect service<..//openidconnectservice>` and added
+:doc:`a Relaying Party for your Mailman instance<..//idpopenidconnect>`
+
+Mailman can use the following OpenID Connect attributes to fill the
+user's profile:
+
+* ``name``
+* ``email``
+* ``preferred_username``
+
+Make sure you create a Client ID and a Client Secret for the Relying Party, and
+that the mailman callback URL is allowed : ``https://mailman.example.com/accounts/lemonldap/login/callback/``
+
+Mailman configuration
+---------------------
+
+.. note::
+
+   Make sure you are using at least version 0.49 of *django-allauth*
+
+
+Provider activation
+~~~~~~~~~~~~~~~~~~~
+
+In the Mailman config (`settings.py`), enable the LemonLDAP::NG provider::
+
+    INSTALLED_APPS = [
+     'allauth',
+     'allauth.account',
+     'allauth.socialaccount',
+     'allauth.socialaccount.providers.lemonldap',
+    ]
+
+    SOCIALACCOUNT_PROVIDERS = {
+        'lemonldap': {
+            'LEMONLDAP_URL': 'https://auth.example.com',
+        },
+    }
+
+
+Provider configuration
+~~~~~~~~~~~~~~~~~~~~~~
+
+Browse to Mailman django administration, then add a new *Social application*
+
+* Provider: *LemonLDAP::NG*
+* Name: pick one
+* Client id: must match the Client ID set in LemonLDAP::NG
+* Secret key: must match the Client Secret set in LemonLDAP::NG
+* Sites: choose which Mailman site can use LemonLDAP::NG
+
+You should then be able to login on your Mailman site using LemonLDAP::NG

doc/sources/admin/applications/mediawiki.rst

@@ -153,12 +153,12 @@ Configure MediaWiki virtual host like other
        internal;
        include /etc/nginx/fastcgi_params;
        fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
-       # Drop post datas
+       # Drop post data
        fastcgi_pass_request_body  off;
        fastcgi_param CONTENT_LENGTH "";
        # Keep original hostname
        fastcgi_param HOST $http_host;
-       # Keep original request (LLNG server will received /llauth)
+       # Keep original request (LL::NG server will receive /lmauth)
        fastcgi_param X_ORIGINAL_URI  $original_uri;
      }
 

doc/sources/admin/applications/obm.rst

@@ -146,12 +146,12 @@ Edit also OBM configuration to enable LL::NG Handler:
        internal;
        include /etc/nginx/fastcgi_params;
        fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
-       # Drop post datas
+       # Drop post data
        fastcgi_pass_request_body  off;
        fastcgi_param CONTENT_LENGTH "";
        # Keep original hostname
        fastcgi_param HOST $http_host;
-       # Keep original request (LLNG server will received /llauth)
+       # Keep original request (LL::NG server will receive /lmauth)
        fastcgi_param X_ORIGINAL_URI  $original_uri;
      }
 

doc/sources/admin/applications/odoo.rst

@@ -21,7 +21,7 @@ Make sure you have :doc:`set up LemonLDAP::NG a SAML IDP <../samlservice>`
    a certificate<samlservice-convert-certificate>`)
 
 .. warning::
-   Odoo requires LemonLDAP::NG 2.0.14 in order to handle RelayState correctly
+   Odoo requires LL::NG 2.0.14 in order to handle RelayState correctly
 
 Configuring Odoo
 ----------------
@@ -60,7 +60,7 @@ To generate a key/certificate pair, you can run the following command::
     openssl req -x509 -newkey rsa:4096 -keyout odoo-key.pem -out odoo-cert.pem -sha256 -days 3650 -nodes
 
 * Select a signature method in the *Signature Algorithm*, such as *SIG_RSA_SHA256*
-* If you do not want to use the email address to match between LLNG and Odoo accounts, set the *Identity Provider matching attribute* to a different value
+* If you do not want to use the email address to match between LL::NG and Odoo accounts, set the *Identity Provider matching attribute* to a different value
 * All other fields may be left to default values
 
 Configuring users

doc/sources/admin/applications/opencti.rst

@@ -0,0 +1,121 @@
+OpenCTI
+=========
+
+.. image:: /applications/opencti.png
+   :class: align-center
+
+Presentation
+------------
+
+`OpenCTI <https://www.opencti.io/en/>`__ is an open source platform allowing organizations to manage their cyber threat intelligence knowledge and observables.
+
+OpenCTI allows SSO via the SAML or OIDC protocols, this page explains how to setup the SAML protocol.
+
+
+Configuring OpenCTI
+-------------------
+
+Prerequisites
+~~~~~~~~~~~~~
+
+First, generate a key/certificate pair for OpenCTI ::
+
+    openssl req -x509 -newkey rsa:4096 -keyout octi-saml-key.pem -out octi-saml-cert.pem -sha256 -days 3650 -nodes
+
+
+Then, download the LemonLDAP::NG SAML metadata at https://auth.example.com/saml/metadata/idp
+
+In this certificate, extract the ``ds:X509Certificate`` element inside the ``KeyDescriptor use="signing"`` element, and remove all spaces, you will get a long Base64 string that looks like ::
+
+    # On a single line, with no spaces
+    MIIFazCCA1OgAwIBAgIUDuUn+nT550rK0Qsej28PlQpZoFkwDQYJKoZIhvcN....
+
+Do the same with ``octi-saml-key.pem`` in order to get a long Base64 string representing the OpenCTI signing key.
+
+Regular installation
+~~~~~~~~~~~~~~~~~~~~
+
+In your OpenCTI configuration ::
+
+    "saml": {
+    "identifier": "saml",
+    "strategy": "SamlStrategy",
+    "config": {
+        "issuer": "opencti",
+        "entry_point": "https://auth.example.com/saml/singleSignOn",
+        "saml_callback_url": "https://opencti.example.com/auth/saml/callback",
+        "private_key": "MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwg...",
+        "cert": "MIICmzCCAYMCBgF2Qt3X1zANBgkqhkiG9w0BAQsFADARMQ8w...",
+        "roles_management": {
+          "role_attributes": ["groups"],
+          "roles_mapping": ["my_lemonldap_group:Administrator"]
+        }
+    }
+
+* ``private_key`` must contain the concatenated content of ``octi-saml-key.pem``
+* ``cert`` must contain the concatenated content of the LemonLDAP::NG signing certificate, from SAML metadata
+* The ``roles_management`` element is only useful if you want to automatically affect roles to your LemonLDAP::NG users depending on their groups.
+
+Docker
+~~~~~~
+
+In a docker setup, add the following environment variables ::
+
+      - PROVIDERS__SAML__STRATEGY=SamlStrategy
+      - "PROVIDERS__SAML__CONFIG__LABEL=Login with SAML"
+      - PROVIDERS__SAML__CONFIG__ISSUER=opencti
+      - PROVIDERS__SAML__CONFIG__ENTRY_POINT=https://auth.example.com/saml/singleSignOn
+      - PROVIDERS__SAML__CONFIG__SAML_CALLBACK_URL=https://opencti.example.com/auth/saml/callback
+      - PROVIDERS__SAML__CONFIG__CERT=MIICmzCCAYMCBgF2Qt3X1zANBgkqhkiG9w0BAQsFADARMQ8w...
+      - PROVIDERS__SAML__CONFIG__PRIVATE_KEY=MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwg...
+      - "PROVIDERS__SAML__CONFIG__ROLES_MANAGEMENT__ROLE_ATTRIBUTES=[\"groups\"]"
+      - "PROVIDERS__SAML__CONFIG__ROLES_MANAGEMENT__ROLES_MAPPING=[\"my_lemonldap_group:Administrator\"]"
+
+* ``PRIVATE_KEY`` must contain the concatenated content of ``octi-saml-key.pem``
+* ``CERT`` must contain the concatenated content of the LemonLDAP::NG signing certificate, from SAML metadata
+* The ``ROLES_MANAGEMENT`` variables are only useful if you want to automatically affect roles to your LemonLDAP::NG users depending on their groups.
+
+
+Configuring LemonLDAP
+---------------------
+
+Generating OpenCTI metadata
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Edit the following template to create the metadata for OpenCTI ::
+
+    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+    <EntityDescriptor
+     entityID="opencti"
+     xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+     <SPSSODescriptor
+       AuthnRequestsSigned="true"
+       WantAssertionsSigned="true"
+       protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+       <KeyDescriptor use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>
+       ###paste the content of octi-saml-cert.pem here, without the BEGIN and END line###
+       </ds:X509Certificate></ds:X509Data></ds:KeyInfo></KeyDescriptor>
+       <AssertionConsumerService
+         index="0"
+         isDefault="true"
+         Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+         Location="https://opencti.example.com/auth/saml/callback" />
+     </SPSSODescriptor>
+
+    </EntityDescriptor>
+
+Don't forget to replace the ``Location=`` attribute and the content of ``X509Certificate``.
+
+Adding OpenCTI::NG to LemonLDAP configuration
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Add a new :ref:`new SAML Service Provider to the LemonLDAP::NG configuration<samlidp-register-sp>`
+with the following parameters:
+
+* **Metadata**
+   * Copy the Metadata generated at the previous step
+* **Exported Attributes**
+   * variable name: ``groups``
+   * attribute name: ``groups``
+
+

doc/sources/admin/applications/phpldapadmin.rst

@@ -68,12 +68,12 @@ Configure phpLDAPadmin virtual host like other
        internal;
        include /etc/nginx/fastcgi_params;
        fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
-       # Drop post datas
+       # Drop post data
        fastcgi_pass_request_body  off;
        fastcgi_param CONTENT_LENGTH "";
        # Keep original hostname
        fastcgi_param HOST $http_host;
-       # Keep original request (LLNG server will received /llauth)
+       # Keep original request (LL::NG server will receive /lmauth)
        fastcgi_param X_ORIGINAL_URI  $original_uri;
      }
 

doc/sources/admin/applications/sympa.rst

@@ -8,20 +8,67 @@ Presentation
 
 `Sympa <http://www.sympa.org>`__ is a mailing list manager.
 
-To configure SSO with Sympa, use **Magic authentication**: a special SSO
-URL is protected by LL::NG, Sympa will display a button for users who
-wants to use this feature.
+To configure SSO with Sympa, you have the choice between:
+  * CAS
+  * **Magic authentication**: a special SSO URL is protected by LL::NG, Sympa will display a button for users who wants to use this feature.
+
+We recommend to use CAS.
+
+CAS
+---
+
+
+Sympa configuration
+~~~~~~~~~~~~~~~~~~~
+
+Edit the file "auth.conf", for example:
+
+::
+
+   vi /etc/sympa/auth.conf
+
+And fill it:
+
+::
+
+    cas
+        base_url                        https://auth.example.com/cas
+        non_blocking_redirection        on
+        auth_service_name               SSO
+        ldap_host                       ldap.example.com:389
+        ldap_get_email_by_uid_filter    (uid=[uid])
+        ldap_timeout                    7
+        ldap_suffix                     dc=example,dc=com
+        ldap_scope                      sub
+        ldap_email_attribute            mail
+
+Restart services:
+
+::
+
+    service sympa restart
+    service apache2 restart
+
+See also `official documentation <https://sympa-community.github.io/manual/customize/cas.html>`__
+
+LemonLDAP::NG configuration
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Declare CAS application in the configuration, register the service URL.
+
+No attributes are needed.
+
+
+Magic authentication
+--------------------
 
 
 .. tip::
 
-    Since version 1.9 of LLNG, old Auto-Login feature has been
+    Since LL::NG 1.9, old Auto-Login feature has been
     removed since it works only with Sympa-5 which has been deprecated
 
 
-Configuration
--------------
-
 Sympa configuration
 ~~~~~~~~~~~~~~~~~~~
 
@@ -96,12 +143,12 @@ authentication URL.
        internal;
        include /etc/nginx/fastcgi_params;
        fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
-       # Drop post datas
+       # Drop post data
        fastcgi_pass_request_body  off;
        fastcgi_param CONTENT_LENGTH "";
        # Keep original hostname
        fastcgi_param HOST $http_host;
-       # Keep original request (LLNG server will received /llauth)
+       # Keep original request (LL::NG server will receive /lmauth)
        fastcgi_param X_ORIGINAL_URI  $original_uri;
      }
 

doc/sources/admin/applications/wekan.rst

@@ -30,6 +30,7 @@ theses :
 * **OAUTH2_USERNAME_MAP**: ``sub``
 * **OAUTH2_FULLNAME_MAP**: ``name``
 * **OAUTH2_EMAIL_MAP**: ``email``
+* **OAUTH2_REQUEST_PERMISSIONS**: ``openid profile email``
 
 
 .. danger::

doc/sources/admin/applications/xwiki.rst

@@ -75,19 +75,30 @@ Configure the :ref:`access rules<rules>`.
 
 Configure the :ref:`headers<headers>`:
 
--  remote_user: $uid
--  remote_groups: encode_base64($groups,'')
+-  remote_user: ``$uid``
+-  remote_groups: ``join('|', keys(%{$hGroups}))``
+-  secret: ``choose_a_secret_key``
 
 Xwiki Configuration
 ~~~~~~~~~~~~~~~~~~~
 
+First, you need to install the `Headers Trusted Authentication Adapter <https://extensions.xwiki.org/xwiki/bin/view/Extension/Trusted%20Headers%20Authentication%20Adapter>`__
+
+Then, configure in `xwiki.cfg`
+
 ::
 
+
    xwiki.authentication.authclass=org.xwiki.contrib.authentication.XWikiTrustedAuthenticator
    xwiki.authentication.trusted.adapterHint=headers
    xwiki.authentication.trusted.auth_field=remote_user
    xwiki.authentication.trusted.group_field=remote_groups
-   xwiki.authentication.trusted.logout_url=https://auth.acme.fr/#logout
+   xwiki.authentication.trusted.logout_url=https://auth.example.com/?logout=1
+   xwiki.authentication.trusted.secret_field=secret
+   xwiki.authentication.trusted.secret_value=choose_a_secret_key
+
+   # Adjust the XWiki=>LemonLDAP group map to your liking
+   xwiki.authentication.trusted.groupsMapping=XWiki.XWikiAdminGroup=xwiki-admins|XWiki.XWikiAdminGroup=timelords
 
 .. |image0| image:: /applications/xwiki.png
    :class: align-center

doc/sources/admin/authbasichandler.rst

@@ -64,12 +64,10 @@ to access required locations in Portal Virtual Host.
     **Choice used for password authentication** => 2_LDAP (by example)
 
 
-
-
 .. attention::
 
-    With HTTPS, you may have to set **LWP::UserAgent
-    object** with ``verify_hostname => 0`` and ``SSL_verify_mode => 0``.
+    With HTTPS, you may have to set **LWP::UserAgent object**
+    with ``verify_hostname => 0`` and ``SSL_verify_mode => 0``.
 
     Go to:
 

doc/sources/admin/authcas.rst

@@ -63,23 +63,48 @@ Then, go in ``CAS parameters``:
 
 -  **Authentication level**: authentication level for this module.
 
-Then create the list of CAS servers in the manager. For each, set:
+Then create the list of CAS servers in the manager.
+
+Options
+~~~~~~~
 
 -  **Server URL** *(required)*: CAS server URL (must use https://)
 -  **Renew authentication** *(default: disabled)*: force authentication
    renewal on CAS server
 -  **Gateways authentication** *(default: disabled)*: force transparent
    authentication on CAS server
+
+Proxied services
+~~~~~~~~~~~~~~~~
+
+In this section, set the list of services for which a proxy ticket is
+requested:
+
+-  **Key**: Service ID
+-  **Value** Service URL (CAS service identifier)
+
+Display
+~~~~~~~
 -  **Display Name**: Name to display. Required if you have more than 1
    CAS server declared
 -  **Icon**: Path to CAS Server icon. Used only if you have more than 1
    CAS server declared
--  **Order**: Number to sort CAS Servers display
--  **Proxied services**: list of services for which a proxy ticket is
-   requested:
+-  **Resolution Rule**: rule that will be applied to preselect a CAS server for
+   a user. You have access to all environment variable *(like user IP address)*
+   and all session keys.
 
-   -  **Key**: Service ID
-   -  **Value** Service URL (CAS service identifier)
+For example, to preselect this server for users coming from 129.168.0.0/16
+network
+
+::
+
+   $ENV{REMOTE_ADDR} =~ /^192\.168/
+
+To preselect this server when the ``MY_SRV`` :doc:`choice <authchoice>` is selected ::
+
+    $_choice eq "MY_SRV"
+
+-  **Order**: Number to sort CAS Servers display
 
 
 .. tip::

doc/sources/admin/authchoice.rst

@@ -51,7 +51,7 @@ Then, go in ``Choice Parameters``:
    ``lmAuth``)
 -  **Allowed modules**: click on ``New chain`` to add a choice.
 -  **Choice used for password authentication**: authentication module used by
-   :doc:`AuthBasic handler<handlerauthbasic>` and :ref:`OAuth2.0 Password Grant <resource-owner-password-grant>`
+   :doc:`AuthBasic handler<authbasichandler>` and :ref:`OAuth2.0 Password Grant <resource-owner-password-grant>`
 -  **FindUser plugin parameter**: authentication module called by
    Find user plugin (:doc:`Find user plugin<finduser>`)
 

doc/sources/admin/authcombination.rst

@@ -39,7 +39,7 @@ must set:
 -  overloaded parameters: you can redefine any LLNG string parameters.
    For example, if you use 2 different LDAP, the first can use normal
    configuration and for the second, overwritten parameter can redefine
-   ldapServer,...
+   ldapServer or any existing parameter.
 
 
 .. note::
@@ -63,12 +63,13 @@ parameters.
 For example, if DBI is configured to use PostgreSQL but DB2 is a MySQL
 DB, you can override the "dbiChain" parameter.
 
-You can also override a complex key like ldapExportedVars, by setting a
-JSON value:
+The over parameter is a HASH ref where keys are attributes names and values are the overriden value.
+To override a complex key like ldapExportedVars, you must use a JSON value, as the over parameter
+expect string values:
 
 .. code-block:: javascript
 
-   {"cn" => "cn", "uid" => "sAMAccounName", "mail" => "mail"}
+   {"cn": "cn", "uid": "sAMAccounName", "mail": "mail"}
 
 
 .. attention::

doc/sources/admin/authdbi.rst

@@ -38,12 +38,8 @@ LL::NG can use two tables:
 
     Authentication table and user table can be the same.
 
-The password can be in plain text, or encoded with a standard SQL
-method:
-
--  SHA
--  SHA1
--  MD5
+The password can be in plain text, or encoded with a SQL method (for example
+``SHA``, ``SHA1``, ``MD5`` or any method valid on database side).
 
 Example 1: two tables
 ^^^^^^^^^^^^^^^^^^^^^
@@ -159,7 +155,8 @@ Password
 ~~~~~~~~
 
 -  **Hash schema**: SQL method for hashing password. Can be left blank
-   for plain text passwords.
+   for plain text passwords. The method will be forced to uppercase in
+   SQL statement.
 -  **Dynamic hash activation**: Activate dynamic hashing. With dynamic
    hashing, the hash scheme is recovered from the user password in the
    database during authentication.

doc/sources/admin/authfacebook.rst

@@ -78,5 +78,4 @@ variables:
 .. tip::
 
     You can use the same Facebook access token in your
-    applications. It is stored in session datas under the name
-    ``$_facebookToken``\
+    applications. It is stored in session data under the name ``$_facebookToken``\

doc/sources/admin/authkerberos.rst

@@ -11,14 +11,14 @@ Presentation
 ------------
 
 `Kerberos <https://en.wikipedia.org/wiki/Kerberos_(protocol)>`__ is a
-network authentication protocol used to authenticate users based on
+network authentication protocol used for authenticating users based on
 their desktop session.
 
 LL::NG uses GSSAPI module to validate Kerberos ticket against a local
 keytab.
 
-LLNG Configuration
-------------------
+LL::NG Configuration
+--------------------
 
 In Manager, go in ``General Parameters`` > ``Authentication modules``
 and choose Kerberos for authentication. Then go to "Kerberos parameters"
@@ -34,13 +34,15 @@ and configure the following parameters:
    Kerberos code to validate Kerberos ticket
 -  **Remove domain in username**: set to "enabled" to strip username
    value and remove the '@domain'.
--  **Allowed domains**: if set, tickets will only be accepted if they come from one of the domains listed here. This is a space-separated list. This feature can be useful when using :doc:`combination<authcombination>` and cross-realm Kerberos trusts.
+-  **Allowed domains**: if set, tickets will only be accepted if they come
+   from one of the domains listed here. This is a space-separated list.
+   This feature can be useful when using :doc:`combination<authcombination>`
+   and cross-realm Kerberos trusts.
 
 
 .. attention::
 
 
-
     -  Due to a perl GSSAPI issue, you may need to copy the keytab in
        /etc/krb5.keytab which is the default location hardcoded in the
        library

doc/sources/admin/authldap.rst

@@ -74,12 +74,12 @@ Connection
 
    -  More than one server can be set here separated by spaces or
       commas. They will be tested in the specified order.
-   -  To use TLS, set ``ldap+tls://server`` and to use LDAPS, set
+   -  To use StartTLS, set ``ldap+tls://server`` and to use LDAPS, set
       ``ldaps://server`` instead of server name.
-   -  If you use TLS, you can set any of the
+   -  If you use StartTLS or LDAPS, you can set any of the
       `Net::LDAP <http://search.cpan.org/~gbarr/perl-ldap/lib/Net/LDAP.pod>`__
-      start_tls() sub like
-      ``ldap+tls://server/verify=none&capath=/etc/ssl``. You can
+      start_tls() options in the URL, such as ``ldap+tls://server/verify=none``
+      or ``ldaps://server/cafile=/etc/ssl/ca.pem&sslversion=tlsv1_2``. You can
       also use cafile and capath parameters.
 
 -  **Server port**: TCP port used by LDAP server if different from the standard
@@ -109,7 +109,7 @@ Connection
 
 .. attention::
 
-    LemonLDAP::NG need anonymous access to LDAP Directory
+    LL::NG needs anonymous access to LDAP Directory
     RootDSE in order to check LDAP connection.
 
 Filters
@@ -155,6 +155,7 @@ Groups
 -  **Search base**: DN of groups branch. If no value, disable group
    searching.
 -  **Object class**: objectClass of the groups (default: groupOfNames).
+   If you are using Active Directory you need to modify this value to ``group``. 
 -  **Target attribute**: name of the attribute in the groups storing the
    link to the user (default: member).
 -  **User source attribute**: name of the attribute in users entries
@@ -208,7 +209,7 @@ Password
 -  **Allow a user to reset his expired password**: if activated, the
    user will be prompted to change password if his password is expired
    (default: disabled)
-- **Search for user before password change**: this option forces the password
+-  **Search for user before password change**: this option forces the password
    change module to search for the user again, refreshing its DN. This feature
    is only useful in rare cases when you use LDAP as the password module, but
    not as the UserDB module. (default: enabled)

doc/sources/admin/authopenid.rst

@@ -27,7 +27,7 @@ least version 1.0.
     LL::NG can also act as :doc:`OpenID server<idpopenid>`, that
     allows one to interconnect two LL::NG systems.
 
-LL::NG will then display a form with an OpenID input, wher users will
+LL::NG will then display a form with an OpenID input, where users will
 type their OpenID login.
 
 
@@ -81,12 +81,12 @@ See also :doc:`exported variables configuration<exportedvars>`.
 
 .. attention::
 
-    Browser implementations of formAction directive are
-    inconsistent (e.g. Firefox doesn't block the redirects whereas Chrome
+    Browser implementations of formAction directive are inconsistent
+    (e.g. Firefox doesn't block the redirects whereas Chrome
     does). Administrators may have to modify formAction value with wildcard
     likes \*.
 
-    In Manager, go in :
+    In Manager, go in:
 
     ``General Parameters`` > ``Advanced Parameters`` > ``Security`` >
     ``Content Security Policy`` > ``Form destination``

doc/sources/admin/authopenidconnect.rst

@@ -20,15 +20,15 @@ LL::NG can act as an OpenID Connect Relying Party (RP) towards multiple
 OpenID Connect Providers (OP). It will get the user identity through an
 ID Token, and grab user attributes through UserInfo endpoint.
 
-As an RP, LL::NG supports a lot of OpenID Connect features:
+As an RP, LL::NG supports many OpenID Connect features:
 
--  Authorization Code flow
+-  Authorization Code, Implicit and Hybrid flows
 -  Automatic download of JWKS
 -  JWT signature verification
 -  Access Token Hash verification
 -  ID Token validation
 -  Get UserInfo as JSON or as JWT
--  Logout on EndSession end point
+-  Logout on EndSession endpoint
 
 You can use this authentication module to link your LL::NG server to any
 OpenID Connect Provider. Here are some examples, with their specific
@@ -60,11 +60,11 @@ Google          France Connect     Pro Santé Connect
 
 .. attention::
 
-    OpenID Connect specification is not finished for logout
-    propagation. So logout initiated by relaying-party will be forward to
+    OpenID Connect specification is not achieved for logout propagation.
+    So logout initiated by relaying-party will be forwarded to
     OpenID Connect provider but logout initiated by the provider (or another
-    RP) will not be propagated. LLNG will implement this when spec will be
-    published.
+    RP) will not be propagated. LL::NG will implement this when specification
+    is published.
 
 Configuration
 -------------
@@ -93,11 +93,11 @@ In ``General Parameters`` > ``Authentication modules``, set:
 .. attention::
 
     Browser implementations of formAction directive are
-    inconsistent (e.g. Firefox doesn't block the redirects whereas Chrome
+    inconsistent (e.g. Firefox does not block the redirects whereas Chrome
     does). Administrators may have to modify formAction value with wildcard
     likes \*.
 
-    In Manager, go in :
+    In Manager, go in:
 
     ``General Parameters`` > ``Advanced Parameters`` > ``Security`` >
     ``Content Security Policy`` > ``Form destination``
@@ -105,11 +105,10 @@ In ``General Parameters`` > ``Authentication modules``, set:
 Then in ``General Parameters`` > ``Authentication modules`` >
 ``OpenID Connect parameters``, you can set:
 
--  **Authentication level**: level of authentication to associate to
-   this module
--  **Callback GET parameter**: name of GET parameter used to intercept
+-  **Authentication level**: Authentication level associated to this module
+-  **Callback GET parameter**: Name of the GET parameter used for intercepting
    callback (default: openidconnectcallback)
--  **State session timeout**: duration of a state session (used to keep
+-  **State session timeout**: Duration of a state session (used for keeping
    state information between authentication request and authentication
    response) in seconds (default: 600)
 
@@ -119,7 +118,8 @@ Register LL::NG to an OpenID Connect Provider
 To register LL::NG, you will need to give some information like
 application name or logo.
 
-You will be asked to provide a *Redirect URI* for LemonLDAP::NG, which is constructed by appending the ``openidconnectcallback=1`` parameter to the Portal URL.
+You will be prompted to provide a *Redirect URI* for LL::NG, which is built 
+by appending the ``openidconnectcallback=1`` parameter to the Portal URL.
 
 For example:
 
@@ -132,15 +132,15 @@ For example:
     you need to set SameSite cookie value to "Lax" or "None".
     See :doc:`SSO cookie parameters<ssocookie>`
 
-After registration, the OP must give you a client ID and a client
-secret, that will be used to configure the OP in LL::NG.
+After registration, the OP must give you a *Client ID* and a *Client
+secret* required to configure the OP in LL::NG.
 
 Declare the OpenID Connect Provider in LL::NG
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-In the Manager, select node ``OpenID Connect Providers`` and click on
-``Add OpenID Connect Provider``. Give a technical name (no spaces, no
-special characters), like "sample-op";
+In Manager, select node ``OpenID Connect Providers`` and click on
+``Add OpenID Connect Provider``. Set a technical name (without space or
+special character) like "sample-op".
 
 You can then access to the configuration of this OP.
 
@@ -183,26 +183,24 @@ JWKS data
 ^^^^^^^^^
 
 JWKS is a JSON file containing public keys. LL::NG can grab them
-automatically if jwks_uri is defined in metadata. Else you can paste the
-content of the JSON file in the textarea.
+automatically if jwks_uri is defined in metadata. Else you can paste
+the JSON file content in the textarea.
 
 
 .. tip::
 
     If the OpenID Connect provider only uses symmetric encryption,
-    JWKS data is not useful.
+    JWKS data are useless.
 
 Exported attributes
 ^^^^^^^^^^^^^^^^^^^
 
-Define here the mapping between the LL::NG session content and the
-fields provided in UserInfo response. The fields are defined in `OpenID
-Connect
-standard <http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims>`__,
-and depends on the scope requested by LL::NG (see options in next
-chapter).
+Define here mapping between LL::NG session content and fields
+provided in UserInfo endpoint response. These fields are defined in
+`OpenID Connect standard <http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims>`__,
+and depends on the scope requested by LL::NG (see options below).
 
-So you can define for example:
+So you can define by example:
 
 -  cn => name
 -  sn => family_name
@@ -212,39 +210,65 @@ So you can define for example:
 Options
 ^^^^^^^
 
--  **Configuration**:
+Configuration
+"""""""""""""
 
-   -  **Configuration endpoint**: URL of OP configuration endpoint
-   -  **JWKS data timeout**: After this time, LL::NG will do a request
-      to get a fresh version of JWKS data. Set to 0 to disable it.
-   -  **Client ID**: Client ID given by OP
-   -  **Client secret**: Client secret given by OP
-   -  **Store ID token**: Allows one to store the ID token (JWT) inside
-      user session. Do not enable it unless you need to replay this token
-      on an application, or if you need the id_token_hint parameter when
-      using logout.
+-  **Configuration endpoint**: URL of OP configuration endpoint
+-  **JWKS data timeout**: After this time, LL::NG will do a request
+   to get a fresh version of JWKS data. Set to 0 to disable it.
+-  **Client ID**: Client ID given by OP
+-  **Client secret**: Client secret given by OP
+-  **Store ID token**: Allows one to store the ID Token (JWT) inside
+   user session. Do not enable it unless you need to replay this token
+   on an application, or if you need the id_token_hint parameter when
+   using logout.
 
--  **Protocol**:
+Protocol
+""""""""
+-  **Scope**: Value of scope parameter (example: openid profile). The
+   ``openid`` scope is mandatory.
+-  **Display**: Value of display parameter (example: page)
+-  **Prompt**: Value of prompt parameter (example: consent)
+-  **Max age**: Value of max_age parameter (example: 3600)
+-  **UI locales**: Value of ui_locales parameter (example: en-GB en
+   fr-FR fr)
+-  **ACR values**: Value acr_values parameters (example: loa-1)
+-  **Token endpoint authentication method**: Choice between
+   ``client_secret_post`` and ``client_secret_basic``
+-  **Check JWT signature**: Set to 0 to disable JWT signature
+   checking
+-  **ID Token max age**: If defined, LL::NG will check the ID Token
+   date and reject it if too old
+-  **Use Nonce**: If enabled, a nonce will be sent, and verified from
+   the ID Token
 
-   -  **Scope**: Value of scope parameter (example: openid profile). The
-      ``openid`` scope is mandatory.
-   -  **Display**: Value of display parameter (example: page)
-   -  **Prompt**: Value of prompt parameter (example: consent)
-   -  **Max age**: Value of max_age parameter (example: 3600)
-   -  **UI locales**: Value of ui_locales parameter (example: en-GB en
-      fr-FR fr)
-   -  **ACR values**: Value acr_values parameters (example: loa-1)
-   -  **Token endpoint authentication method**: Choice between
-      ``client_secret_post`` and ``client_secret_basic``
-   -  **Check JWT signature**: Set to 0 to disable JWT signature
-      checking
-   -  **ID Token max age**: If defined, LL::NG will check the date of ID
-      token and refuse it if it is too old
-   -  **Use Nonce**: If enabled, a nonce will be sent, and verified from
-      the ID Token
+Display
+"""""""
 
--  **Display**:
+-  **Display name**: Name of the application
+-  **Logo**: Logo of the application
+-  **Resolution Rule**: rule that will be applied to preselect an OP
+   for a user. You have access to all environment variable *(like user
+   IP address)* and all session keys.
 
-   -  **Display name**: Name of the application
-   -  **Logo**: Logo of the application
-   -  **Order**: Number to sort buttons
+For example, to preselect this OP for users coming from 129.168.0.0/16
+network
+
+::
+
+   $ENV{REMOTE_ADDR} =~ /^192\.168/
+
+To preselect this OP when the ``MY_OP`` :doc:`choice <authchoice>` is selected ::
+
+    $_choice eq "MY_OP"
+
+-  **Order**: Number to sort buttons
+
+
+.. attention::
+
+    With HTTPS authorization endpoint, you may have to set **LWP::UserAgent object**
+    with ``verify_hostname => 0`` and ``SSL_verify_mode => 0``.
+
+
+    Go to: ``General Parameters > Advanced Parameters > Security > SSL options for server requests``

doc/sources/admin/authproxy.rst

@@ -15,7 +15,7 @@ credentials to another LL::NG portal, like a proxy.
 
 The difference with :doc:`remote authentication<authremote>` is that the
 client will never be redirect to the main LL::NG portal. This
-configuration is usable if you want to expose your internal SSO portal
+configuration is useful if you want to expose your internal SSO portal
 to another network (DMZ).
 
 Configuration
@@ -40,20 +40,22 @@ Then, go in ``Proxy parameters``:
    same as previous for SOAP, same with "/session/my" for REST)
 -  **Choice parameter** (optional): choice parameter of the internal portal if applicable
 -  **Choice value** (optional): value of the choice parameter of the internal portal
--  **Cookie name** (optional): internal portal cookie name, if
-   different from external portal
+-  **Cookie name** (optional): internal portal cookie name,
+   if different from external portal
 -  **Impersonation** (optional) : can be enabled if the internal portal provides impersonation
 
 .. note::
 
-    If the internal portal uses :doc:`Choice Authentication<authchoice>`, you must specify 'Internal portal choice parameter' and 'Internal portal choice value' depending on its configuration. 
-    This feature needs at least LL::NG version 2.0.14
+    If the internal portal uses :doc:`Choice Authentication<authchoice>`,
+    you have to specify 'Internal portal choice parameter' and
+    'Internal portal choice value' depending on its configuration. 
+    This feature needs at least LL::NG version 2.0.14.
 
 Internal portal
 ~~~~~~~~~~~~~~~
 
 The portal must be configured to accept REST or SOAP authentication
-requests if you chose to use SOAP. See:
+requests. See:
 :doc:`REST server plugin<restservices>` or
 :doc:`SOAP session backend<soapsessionbackend>` *(deprecated)*.
 

doc/sources/admin/authradius.rst

@@ -37,8 +37,8 @@ In Debian/Ubuntu, install the library through apt-get command
 
    apt-get install libauthen-radius-perl
 
-Configuration of LemonLDAP::NG
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Configuration of LL::NG
+~~~~~~~~~~~~~~~~~~~~~~~
 
 In Manager, go in ``General Parameters`` > ``Authentication modules``
 and choose Radius for authentication.

doc/sources/admin/authsaml.rst

@@ -111,20 +111,6 @@ For each attribute, you can set:
 Options
 ^^^^^^^
 
-General options
-'''''''''''''''
-
--  **Resolution Rule**: rule that will be applied to preselect an IDP
-   for a user. You have access to all environment variable *(like user
-   IP address)* and all session keys.
-
-For example, to preselect this IDP for users coming from 129.168.0.0/16
-network and member of "admin" group:
-
-::
-
-   $ENV{REMOTE_ADDR} =~ /^192\.168/ and $groups =~ /\badmin\b/
-
 Authentication request
 ''''''''''''''''''''''
 
@@ -135,10 +121,6 @@ Authentication request
    request
 -  **Passive authentication**: set IsPassive flag in authentication
    request
--  **Allow proxied authentication**: allow an authentication response to
-   be issued from another IDP that the one we register (proxy IDP). If
-   you disallow this, you should also disallow direct login form IDP,
-   because proxy restriction is set in authentication requests.
 -  **Allow login from IDP**: allow a user to connect directly from an
    IDP link. In this case, authentication is not a response to an issued
    authentication request, and we have less control on conditions.
@@ -212,8 +194,6 @@ Used only if at least 2 SAML Identity Providers are declared
 
 -  **Display name**: Name of the IDP
 -  **Logo**: Logo of the IDP
--  **Order**: Number used for sorting IDP display
-
 
 .. tip::
 
@@ -222,6 +202,23 @@ Used only if at least 2 SAML Identity Providers are declared
     icon file name directly in the field and copy the logo file in portal
     icons directory
 
+-  **Resolution Rule**: rule that will be applied to preselect an IDP
+   for a user. You have access to all environment variable *(like user
+   IP address)* and all session keys.
+
+For example, to preselect this IDP for users coming from 129.168.0.0/16
+network
+
+::
+
+   $ENV{REMOTE_ADDR} =~ /^192\.168/
+
+To preselect this IDP when the ``MY_IDP`` :doc:`choice <authchoice>` is selected ::
+
+    $_choice eq "MY_IDP"
+
+-  **Order**: Number used for sorting IDP display
+
 .. |image0| image:: /documentation/manager-saml-metadata.png
    :class: align-center
 .. |image1| image:: /documentation/manager-saml-attributes.png

doc/sources/admin/authssl.rst

@@ -181,7 +181,6 @@ Nginx SSL Virtual Host example with uWSGI
      #index index.psgi;
      location / {
        try_files $uri $uri/ =404;
-       add_header Strict-Transport-Security "max-age=15768000";
      }
    }
 

doc/sources/admin/authyubikey.rst

@@ -5,4 +5,4 @@ Yubikey
 .. attention::
 
     This module has been replaced by
-    :doc:`Yubikey Second Factor<yubikey2f>`\
+    :doc:`Yubico OTP Second Factor<yubikey2f>`\

doc/sources/admin/browseableldapsessionbackend.rst

@@ -20,7 +20,7 @@ Required parameters
 Name                     Comment                           Example
 **ldapServer**           URI of the server                 ldap://localhost
 **ldapConfBase**         DN of sessions branch             ou=sessions,dc=example,dc=com
-**ldapBindDN**           Connection login                  cn=admin,dc=example,dc=password
+**ldapBindDN**           Connection login                  cn=admin,dc=example,dc=com
 **ldapBindPassword**     Connection password               secret
 **ldapRaw**              Binary attributes                 (?i:^jpegPhoto|;binary)
 **Index**                Fields to index                   refer to :ref:`fieldstoindex`

doc/sources/admin/browseablemysqlsessionbackend.rst

@@ -59,7 +59,7 @@ Create the following tables. You may skip the session types you are not going to
        _session_kind varchar(15),
        _utime bigint,
        ProxyID varchar(64),
-       _nameID varchar(128),
+       _nameID varchar(255),
        _assert_id varchar(64),
        _art_id varchar(64),
        _saml_id varchar(64)
@@ -89,7 +89,7 @@ Create the following tables. You may skip the session types you are not going to
        _utime bigint,
        _cas_id varchar(128),
        pgtIou varchar(128)
-   ) DEFAULT CHARSET utf8
+   ) DEFAULT CHARSET utf8;
    CREATE INDEX i_c__session_kind ON cassessions (_session_kind);
    CREATE INDEX i_c__utime        ON cassessions (_utime);
    CREATE INDEX i_c__cas_id       ON cassessions (_cas_id);
@@ -98,7 +98,7 @@ Create the following tables. You may skip the session types you are not going to
 LemonLDAP::NG configuration
 ---------------------------
 
-Go in the Manager and set the session module to ``Apache::Session::Browseable::PgJSON`` for each session type you intend to use:
+Go in the Manager and set the session module to ``Apache::Session::Browseable::MySQL`` for each session type you intend to use:
 
 * ``General parameters`` » ``Sessions`` » ``Session storage`` » ``Apache::Session module``
 * ``General parameters`` » ``Sessions`` » ``Persistent sessions`` » ``Apache::Session module``

doc/sources/admin/captcha.rst

@@ -31,3 +31,18 @@ Go in ``General parameters`` > ``Portal`` > ``Captcha``:
 -  **Activation in register form**: set to 1 to display captcha in
    register form
 -  **Size**: length of captcha
+-  **Captcha module**: allows you to use a custom Captcha module, see
+   :ref:`below <customcaptcha>`. Leave it blank to use the default Captcha
+   implementation
+-  **Captcha module options**: options for the custom Captcha module
+
+.. _customcaptcha:
+
+Custom Captcha modules
+----------------------
+
+.. versionadded:: 2.0.15
+
+If the default Captcha does not meet your requirements, you can replace it with
+a different implementation. See the ``Lemonldap::NG::Portal::Captcha`` manual
+page for details on how to implement a Captcha module.

doc/sources/admin/checkstate.rst

@@ -33,9 +33,9 @@ The plugin will respond to the HTTP request with:
 * HTTP code 500 if something went wrong
 * HTTP code 200 and the following JSON content if something went right
 
-```
-{"result":1,"version":"2.0.14"}
-```
+.. code:: json
+
+    {"result":1,"version":"2.0.14"}
 
 .. versionadded:: 2.0.14
    The *version* key is returned

doc/sources/admin/cli_examples.rst

@@ -64,7 +64,7 @@ can be executed to set all the session backends.
 
 In this example we have:
 
--  Backend: PostGreSQL
+-  Backend: PgJSON
 -  DB user: lemonldaplogin
 -  DB password: lemonldappw
 -  Database: lemonldapdb
@@ -81,7 +81,7 @@ In this example we have:
 
    /usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
        set \
-           globalStorage Apache::Session::Browseable::Postgres
+           globalStorage Apache::Session::Browseable::PgJSON
 
    /usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
        addKey \
@@ -89,7 +89,6 @@ In this example we have:
            globalStorageOptions UserName 'lemonldaplogin' \
            globalStorageOptions Password 'lemonldappw' \
            globalStorageOptions Commit 1 \
-           globalStorageOptions Index 'ipAddr _whatToTrace user' \
            globalStorageOptions TableName 'sessions'
 
 -  Persistent sessions:
@@ -103,7 +102,7 @@ In this example we have:
 
    /usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
        set \
-           persistentStorage Apache::Session::Browseable::Postgres
+           persistentStorage Apache::Session::Browseable::PgJSON
 
    /usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
        addKey \
@@ -111,7 +110,6 @@ In this example we have:
            persistentStorageOptions UserName 'lemonldaplogin' \
            persistentStorageOptions Password 'lemonldappw' \
            persistentStorageOptions Commit 1 \
-           persistentStorageOptions Index '_session_uid' \
            persistentStorageOptions TableName 'psessions'
 
 -  CAS sessions
@@ -120,7 +118,7 @@ In this example we have:
 
    /usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
        set \
-           casStorage Apache::Session::Browseable::Postgres
+           casStorage Apache::Session::Browseable::PgJSON
 
    /usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
        addKey \
@@ -128,7 +126,6 @@ In this example we have:
            casStorageOptions UserName 'lemonldaplogin' \
            casStorageOptions Password 'lemonldappw' \
            casStorageOptions Commit 1 \
-           casStorageOptions Index '_cas_id' \
            casStorageOptions TableName 'cassessions'
 
 -  SAML sessions
@@ -137,7 +134,7 @@ In this example we have:
 
    /usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
        set \
-           samlStorage Apache::Session::Browseable::Postgres
+           samlStorage Apache::Session::Browseable::PgJSON
 
    /usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
        addKey \
@@ -145,7 +142,6 @@ In this example we have:
           samlStorageOptions UserName 'lemonldaplogin' \
           samlStorageOptions Password 'lemonldappw' \
           samlStorageOptions Commit 1 \
-          samlStorageOptions Index '_saml_id ProxyID _nameID _assert_id _art_id _session_id' \
           samlStorageOptions TableName 'samlsessions'
 
 -  OpenID Connect sessions
@@ -154,7 +150,7 @@ In this example we have:
 
    /usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
        set \
-          oidcStorage Apache::Session::Browseable::Postgres
+          oidcStorage Apache::Session::Browseable::PgJSON
 
    /usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
        addKey \
@@ -195,13 +191,13 @@ In this example we have:
 Configure form replay
 ---------------------
 
-To add form replay on a host, you need to set the catched URI and
+To add form replay on a host, you need to set the caught URI and
 the variables to post.
 
 In this example we have:
 
 - Host: test.example.com
-- Catched URI: /login.php
+- Caught URI: /login.php
 - jQuery URL: default
 
 - Variables:
@@ -301,7 +297,7 @@ In this example we have:
    /usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
        addKey \
            casAppMetaDataExportedVars/testapp mail mail \
-           casAppMetaDataExportedVars/testapp cn cn
+           casAppMetaDataExportedVars/testapp cn cn \
            casAppMetaDataOptions/testapp casAppMetaDataOptionsService 'https://testapp.example.com/'
 
 Configure SAML Identity Provider
@@ -494,6 +490,78 @@ To update the master encryption key:
            key 'xxxxxxxxxxxxxxx'
 
 
+Bulk configuration changes
+--------------------------
+
+.. versionadded:: 2.0.15
+
+The ``merge`` subcommand can be used to inject multiple configuration keys and
+variables at once. It reads a list of JSON or YAML formatted files and combines
+them with the current config. This allows you to script common configuration
+changes in the form of snippets.
+
+Example (JSON):
+
+.. code:: json
+
+    {
+        "https": 1,
+        "securedCookie": 1,
+        "sameSite": "None",
+        "macros": {
+            "UA": null,
+            "_whatToTrace": "uid"
+        }
+    }
+
+
+Example (YAML) :
+
+.. code:: yaml
+
+   # YAML files can be commented
+   https: 1
+   securedCookie: 1
+   sameSite: "None"
+
+   # override some default macros
+   macros:
+
+       # Remove UA
+       UA: ~
+
+       # Update _whatToTrace
+       _whatToTrace: uid
+
+
+Importing the changes:
+
+.. code:: shell
+
+    # Import a JSON snippet
+    /usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 merge example.json
+
+    # Import a YAML snippet
+    /usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 merge example.yaml
+
+    # Import several snippets
+    /usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 merge my_config/*.yaml
+
+.. note:: You may need to install the `YAML <https://metacpan.org/pod/YAML>`__
+   Perl module to be able to import
+   YAML configuration snippets
+
+.. warning::
+
+   * The config files will be read as the webserver (``apache``/``www-data``)
+     user. Make sure they have the correct permissions before running the
+     command
+   * Do not use booleans in JSON/YAML files, LemonLDAP only understands 0/1
+     values for boolean configuration keys
+   * Due to limitations in the Perl YAML parser, you need to set a key to ``~``
+     instead of ``null`` to remove it
+
+
 .. _cli-sessions:
 
 Sessions Management
@@ -536,7 +604,7 @@ List second factors of a user ::
 
    lemonldap-ng-sessions secondfactors get dwho
 
-Deregister Yubikey of a user ::
+Deregister Yubico OTP for a user ::
 
    lemonldap-ng-sessions secondfactors delType dwho UBK
 
@@ -546,7 +614,7 @@ OIDC Consents management
 .. versionadded:: 2.0.9
 
 List consents of a user ::
-   
+
    lemonldap-ng-sessions consents get dwho
 
 Revoke consents on OIDC provider 'test' for a user::

doc/sources/admin/conf.py

@@ -50,7 +50,7 @@ master_doc = 'start'
 
 # General information about the project.
 project = u'LemonLDAP::NG'
-copyright = u'2021, LemonLDAP::NG'
+copyright = u'2022, LemonLDAP::NG'
 author = u'LemonLDAP::NG'
 
 # The version info for the project you're documenting, acts as replacement for
@@ -138,6 +138,8 @@ if 'LLNGSPHINXWEBSITE' in os.environ:
     import sphinx_rtd_theme
     html_theme = 'sphinx_rtd_theme'
     html_theme_options = {}
+else:
+    html_copy_source = False
 
 
 # html_theme_options = {}

doc/sources/admin/configlocation.rst

@@ -128,6 +128,21 @@ configuration.
        instanceName = LLNG_Demo
 
 
+.. tip::
+
+
+    It is possible to use environment variable placeholders anywhere in
+    configuration. Those placeholders will be replaced by each LLNG component
+    using environment variables set locally.
+    The format is: ``%SERVERENV:VariableName%``.
+    To enable this feature, you must edit ``lemonldap-ng.ini`` to set
+    ``useServerEnv`` value in [configuration] section:
+
+    .. code:: ini
+
+       [configuration]
+       useServerEnv = 1
+
 
 Manager API
 -----------

doc/sources/admin/configvhost.rst

@@ -38,7 +38,7 @@ Example of a protected virtual host for a local application:
 
    </VirtualHost>
 
-Reverse proxy
+Reverse-Proxy
 ~~~~~~~~~~~~~
 
 Example of a protected virtual host with LemonLDAP::NG as reverse proxy:
@@ -139,7 +139,7 @@ Then you can take any virtual host and modify it:
        include /etc/nginx/fastcgi_params;
        fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
 
-       # Drop post datas
+       # Drop post data
        fastcgi_pass_request_body  off;
        fastcgi_param CONTENT_LENGTH "";
 
@@ -215,7 +215,7 @@ Example of a protected virtual host for a local application:
        internal;
        include /etc/nginx/fastcgi_params;
        fastcgi_pass /path/to/llng-fastcgi-server.sock;
-       # Drop post datas
+       # Drop post data
        fastcgi_pass_request_body  off;
        fastcgi_param CONTENT_LENGTH "";
        # Keep original hostname
@@ -258,7 +258,7 @@ Example of a protected virtual host for a local application:
 
 .. _reverse-proxy-1:
 
-Reverse proxy
+Reverse-Proxy
 ~~~~~~~~~~~~~
 
 - Example of a protected reverse-proxy:
@@ -276,7 +276,7 @@ Reverse proxy
        internal;
        include /etc/nginx/fastcgi_params;
        fastcgi_pass /path/to/llng-fastcgi-server.sock;
-       # Drop post datas
+       # Drop post data
        fastcgi_pass_request_body  off;
        fastcgi_param CONTENT_LENGTH "";
        # Keep original hostname
@@ -452,7 +452,29 @@ A virtual host contains:
 -  Access rules: check user's right on URL patterns
 -  HTTP headers: forge information sent to protected applications
 -  POST data: use form replay
--  Options: redirection port and protocol
+-  Options: redirection port, protocol, Handler type, aliases,required authentication level,...
+
+Wildcards in hostnames
+----------------------
+
+A wildcard can be used in virtualhost name (not in
+aliases !): ``*.example.com`` matches all hostnames that belong to
+``example.com`` domain.
+
+.. versionchanged:: 2.0.9
+   You can now use wildcards of the form ``test-*.example.com`` or
+   ``test-%.example.com``. The ``%`` wilcard doesn't match subdomains.
+
+Even if a wildcard exists, if a VirtualHost is explicitly declared, this
+rule will be applied. Example with precedence order for test.sub.example.com:
+
+#. test.sub.example.com
+#. test%.sub.example.com
+#. test*.sub.example.com
+#. %.sub.example.com
+#. \*.sub.example.com
+#. \*.example.com (``%.example.com`` does not match
+   test.sub.example.com)
 
 Access rules and HTTP headers
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -464,7 +486,7 @@ application by LL::NG.
 
 .. attention::
 
-    With **Nginx**-based ReverseProxy, header directives can
+    With **Nginx**-based Reverse-Proxy, header directives can
     be appended by a LUA script.
 
     To send more than **15** headers to protected applications,
@@ -498,7 +520,7 @@ Options
 Some options are available:
 
 -  **Port**: used to build redirection URL *(when user is not logged, or for
-   CDA requests)*
+   CDA requests)*, -1 means the handler builds the URL with the incoming port, as seen by the webserver
 -  **HTTPS**: used to build redirection URL
 -  **Maintenance mode**: reject all requests with a maintenance message
 -  **Aliases**: list of aliases for this virtual host *(avoid to rewrite
@@ -507,18 +529,22 @@ Some options are available:
    Provide a comma separated parameters list with custom function path and args.
    Args can be vars or session attributes, macros, ...
    By example: My::accessToTrace, Doctor, Who, _whatToTrace
--  **Type**: handler type (normal,
-   :doc:`ServiceToken Handler<servertoserver>`,
-   :doc:`DevOps Handler<devopshandler>`,...)
 -  **Required authentication level**: this option avoids to reject user with
    a rule based on ``$_authenticationLevel``. When user has not got the
    required level, he is redirected to an upgrade page in the portal.
    This default level is required for ALL locations relative to this virtual host.
    It can be overrided for each locations.
+-  **Type**: handler type (:ref:`Main<presentation-kinematics>`,
+   :doc:`AuthBasic<authbasichandler>`,
+   :doc:`ServiceToken<servertoserver>`,
+   :doc:`DevOps<devopshandler>`,
+   :doc:`DevOpsST<devopssthandler>`,
+   :doc:`OAuth2<oauth2handler>`,...)
 -  **DevOps rules file URL**: option to define URL to retreive DevOps rules file.
    This option can be overridden with ``uwsgi_param/fastcgi_param RULES_URL`` parameter.
 -  **ServiceToken timeout**: by default, ServiceToken is just valid during 30
    seconds. This TTL can be customized for each virtual host.
+-  **Comment**: Can be used for setting comment.
 
 
 .. attention::
@@ -571,3 +597,6 @@ Some options are available:
 "Port" and "HTTPS" options are used to build redirection URL *(when user
 is not logged, or for CDA requests)*. By default, default values are
 used. These options are only here to override default values.
+
+.. |image0| image:: /documentation/new.png
+   :width: 35px

doc/sources/admin/contribute.rst

@@ -52,13 +52,13 @@ Install basic tools
 Debian
 ^^^^^^
 
-As *root :*
+As *root:*
 
 ::
 
    apt install aptitude
    aptitude install vim make devscripts yui-compressor git git-gui libjs-uglify coffeescript cpanminus autopkgtest pkg-perl-autopkgtest
-   aptitude install libauth-yubikey-webclient-perl libnet-smtp-server-perl libtime-fake-perl libtest-output-perl libtest-pod-perl libtest-leaktrace-perl
+   aptitude install libauth-yubikey-webclient-perl libnet-smtp-server-perl libtime-fake-perl libtest-output-perl libtest-pod-perl libtest-leaktrace-perl libtest-mockobject-perl uglifyjs libdbd-sqlite3-perl libauthen-webauthn-perl libauthen-oath-perl
 
    cpanm Authen::U2F Authen::U2F::Tester Crypt::U2F::Server::Simple
 
@@ -71,7 +71,7 @@ As *root :*
 Configure Git
 ^^^^^^^^^^^^^
 
-As *user :*
+As *user:*
 
 ::
 
@@ -126,7 +126,7 @@ Install dependencies
 
 ::
 
-   aptitude install libapache-session-perl libcache-cache-perl libclone-perl libconfig-inifiles-perl libconvert-pem-perl libcrypt-openssl-bignum-perl libcrypt-openssl-rsa-perl libcrypt-openssl-x509-perl libcrypt-rijndael-perl libdbi-perl libdigest-hmac-perl libemail-sender-perl libgd-securityimage-perl libhtml-template-perl libio-string-perl libjson-perl libmime-tools-perl libmouse-perl libnet-ldap-perl libplack-perl libregexp-assemble-perl libregexp-common-perl libsoap-lite-perl libstring-random-perl libtext-unidecode-perl libunicode-string-perl liburi-perl libwww-perl libxml-simple-perl libxml-libxslt-perl libcrypt-urandom-perl libconvert-base32-perl cpanminus
+   aptitude install libapache-session-perl libcache-cache-perl libclone-perl libconfig-inifiles-perl libconvert-pem-perl libio-socket-timeout-perl libcrypt-openssl-bignum-perl libcrypt-openssl-rsa-perl libcrypt-openssl-x509-perl libcrypt-rijndael-perl libdbi-perl libdigest-hmac-perl libemail-sender-perl libgd-securityimage-perl libhtml-template-perl libio-string-perl libjson-perl libmime-tools-perl libmouse-perl libnet-ldap-perl libplack-perl libregexp-assemble-perl libregexp-common-perl libsoap-lite-perl libstring-random-perl libtext-unidecode-perl libunicode-string-perl liburi-perl libwww-perl libxml-simple-perl libxml-libxslt-perl libcrypt-urandom-perl libconvert-base32-perl cpanminus
    aptitude install apache2 libapache2-mod-fcgid libapache2-mod-perl2  # install Apache
    aptitude install nginx nginx-extras  # install Nginx
    cpanm perltidy@20181120

doc/sources/admin/customfunctions.rst

@@ -51,81 +51,28 @@ as you want, for example ``SSOExtensions.pm``:
 Import custom functions in LemonLDAP::NG
 ----------------------------------------
 
-Load relevant code in handler server
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+LemonLDAP::NG Configuration
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-New method
-^^^^^^^^^^
-
-Just declare files or Perl module that must be loaded:
+Edit ``lemonldap-ng.ini`` to load the Perl module(s)
 
 ::
 
    [all]
-   require = /path/to/functions.pl, /path/to/SSOExtensions.pm
-   # OR
-   require = SSOExtensions::function1, SSOExtensions::function2
+   require = /path/to/SSOExtensions.pm
    ; Prevent Portal to crash if Perl module is not found
    ;requireDontDie = 1
 
-Old method
-^^^^^^^^^^
-
-
-.. danger::
-
-    This method is available but unusable by Portal under
-    Apache. So if your rule may be used by the menu, use the new
-    method.
-
-Apache
-''''''
-
-Your module has to be loaded by Apache (for example after Handler load):
-
-.. code-block:: apache
-
-   # Perl environment
-   PerlRequire Lemonldap::NG::Handler
-   PerlRequire /path/to/SSOExtensions.pm
-   PerlOptions +GlobalRequest
-
-FastCGI server (Nginx)
-''''''''''''''''''''''
-
-You've just to incicate to :doc:`LLNG FastCGI server<fastcgiserver>` the
-file to read using either ``-f`` option or ``CUSTOM_FUNCTIONS_FILE``
-environment variable. Using packages, you just have to modify your
-``/etc/default/llng-fastcgi-server`` (or
-``/etc/default/lemonldap-ng-fastcgi-server``) file:
-
-.. code-block:: sh
-
-   # Number of process (default: 7)
-   #NPROC = 7
-
-   # Unix socket to listen to
-   SOCKET=/var/run/llng-fastcgi-server/llng-fastcgi.sock
-
-   # Pid file
-   PID=/var/run/llng-fastcgi-server/llng-fastcgi-server.pid
-
-   # User and GROUP
-   USER=www-data
-   GROUP=www-data
-
-   # Custom functions file
-   CUSTOM_FUNCTIONS_FILE=/path/to/SSOExtensions.pm
 
 Declare custom functions
 ~~~~~~~~~~~~~~~~~~~~~~~~
 
 Go in Manager, ``General Parameters`` » ``Advanced Parameters`` »
-``Custom functions`` and set:
+``Custom functions`` and declare your function names, separated by a space:
 
 ::
 
-   SSOExtensions::function1, SSOExtensions::function2
+   SSOExtensions::function1 SSOExtensions::function2
 
 
 .. attention::
@@ -133,13 +80,13 @@ Go in Manager, ``General Parameters`` » ``Advanced Parameters`` »
     If your function is not compliant with
     :doc:`Safe jail<safejail>`, you will need to disable the jail.
 
-Use it
-------
+Usage
+-----
 
 You can now use your function in a macro, an header or an access rule,
 for example:
 
 ::
 
-   SSOExtensions::function1( $uid, $ENV{REMOTE_ADDR} )
+   function1( $uid, $ENV{REMOTE_ADDR} )
 

doc/sources/admin/decryptvalue.rst

@@ -16,19 +16,19 @@ DecryptValue plugin can be allowed or denied for specific users.
    -  **Use rule**: Select which users may use this plugin
    -  **Decrypt functions**: Set functions used for decrypting ciphered
       values. Each function is tested until one succeeds. Let it blank
-      to use internal decrypt function.
+      to use internal ``decrypt`` extended function.
 
 
-.. danger::
+.. attention::
+
+    The ciphered value is the first parameter passed to custom functions.
+
+    The ``Encryption key`` is passed to custom funtions as second parameter
+    (see :ref:`Security settings<security-configure-security-settings>`).
 
     Custom functions must be defined into
-    ``Lemonldap::NG::Portal::My::Plugin`` and set:
+    ``My::Plugin`` and set:
 
     ::
 
        My::Plugin::function1 My::Plugin::function2
-
-
-
-.. |image0| image:: /documentation/beta.png
-   :width: 100px

doc/sources/admin/devopshandler.rst

@@ -1,7 +1,7 @@
 DevOps Handler
 ==============
 
-This Handler is designed to retrieve vhost configuration from the website
+This Handler is designed to retrieve VHost configuration from the website
 itself, not from LL:NG configuration. Rules and headers are set in a
 **rules.json** file stored at the website root directory (ie
 ``http://website/rules.json``). This file looks like:
@@ -23,12 +23,14 @@ If this file is not found, the default rule "accept" is applied and just
 
 No specific configuration is required except that:
 
--  you have to choose this specific handler (directly by using
-   ``VHOSTTYPE`` environment variable or in VHost options)
--  you can set the loopback URL needed by the DevOps handler to get
-   ``/rules.json`` or use ``RULES_URL`` parameter to set JSON file path
-   (see :doc:`SSO as a Service<ssoaas>`). Default to
-   ``http://127.0.0.1:<server-port>``
+-  you have to select ``DevOps`` handler type either with
+   ``VHOSTTYPE`` environment variable or in VHost options
+-  you can set in VHost options the loopback URL requested by 
+   the DevOps handler to retrieve ``/rules.json`` or use
+   ``RULES_URL`` environment variable to set JSON file location.
+   Default to ``http://127.0.0.1:<server-port>``
+-  HTTPS or redirection port can be set by using
+   ``HTTP_REDIRECT`` or ``PORT_REDIRECT`` environment variables.
 
 
 .. attention::

doc/sources/admin/documentation.rst

@@ -31,7 +31,7 @@ Installation and configuration
    -  `Version 2.0 </documentation/2.0/>`__ (stable)
    -  `Version 1.9 </documentation/1.9/>`__ (oldstable)
 
--  Archived versions (unmaintained by LLNG Team )
+-  Archived versions (unmaintained by LL::NG Team )
 
    -  `Version 1.4 </documentation/1.4/>`__
    -  `Version 1.3 </documentation/1.3/>`__
@@ -42,33 +42,30 @@ Installation and configuration
 Packaged versions
 ~~~~~~~~~~~~~~~~~
 
-These versions are maintained under distribution umbrella following
-their policy.
+These versions are maintained under distribution umbrella following their policy.
 
 Debian
 ^^^^^^
 
 .. tip::
 
-   Following Debian Policy, LLNG packages are never upgraded in published distributions. However, security patches are backported by maintenance teams *(except some inor ones)*.
+   Following Debian Policy, LL::NG packages are never upgraded in published distributions. However, security patches are backported by maintenance teams *(except some minor ones)*.
    See `Security tracker <https://security-tracker.debian.org/tracker/source-package/lemonldap-ng>`__
 
-=========== ========================== ======================================== ===================================================== ============================================================ =============================== =============================================================
-Debian dist                            LLNG version                             Secured                                               Maintenance                                                  LTS Limit                       `Extended LTS <https://wiki.debian.org/LTS/Extended>`__ Limit
-=========== ========================== ======================================== ===================================================== ============================================================ =============================== =============================================================
-*6*         *Squeeze*                  *0.9.4.1*                                |maybe| No known vulnerability                        *None*                                                       *February 2016*                 *April 2019*
-*7*         *Wheezy*                   `1.1.2 </documentation/1.1/>`__          |maybe| No known vulnerability                        *None*                                                       *May 2018*                      *June 2020*
-**8**       Jessie                     `1.3.3 </documentation/1.3/>`__          |clean| CVE-2019-19791 tagged as minor                **None**  [1]_                                               June 2020                       June 2022
-**9**       Stretch                    `1.9.7 </documentation/1.9/>`__          |clean| CVE-2019-19791 tagged as minor                `Debian LTS Team <https://www.debian.org/lts/>`__            June 2022                       Probably 2024
-\           *Stretch-backports*        `2.0.2 </documentation/2.0/>`__          |bad| CVE-2019-12046, CVE-2019-13031, CVE-2019-15941  *None*                                                       *June 2019*
-\           *Stretch-backports-sloppy* `2.0.11 </documentation/2.0/>`__         |maybe|                                               *None*                                                       *August 2021*
-**10**      Buster                     `2.0.2 </documentation/2.0/>`__          |clean| CVE-2019-19791 tagged as minor                `Debian Security Team <https://security-team.debian.org/>`__ June 2024                       Probably 2026
-\           *Buster-backports*         `2.0.11 </documentation/2.0/>`__         |clean|                                               *None*                                                       *August 2021*
-\           Buster-backports-sloppy    `2.0.11 </documentation/2.0/>`__         |clean|                                               LLNG Team, "best effort" [3]_                                Until Debian 12 release [4]_
-**11**      Bullseye                   `2.0.11 </documentation/2.0/>`__         |clean|                                               `Debian Security Team <https://security-team.debian.org/>`__ July 2026                       Probably 2028
-\           Bullseye-backports         `2.0.11 </documentation/2.0/>`__         |clean|                                               LLNG Team, "best effort" [3]_                                Until Debian 12 release [4]_
-**Next**    Testing/Unstable           Latest  [5]_                             |clean|                                               LLNG Team
-=========== ========================== ======================================== ===================================================== ============================================================ =============================== =============================================================
+=========== ========================== ======================================== ===================================================== ============================================================ =================================== =============================================================
+Debian dist                            LL::NG version                             Secured                                               Maintenance                                                  LTS Limit                           `Extended LTS <https://wiki.debian.org/LTS/Extended>`__ Limit
+=========== ========================== ======================================== ===================================================== ============================================================ =================================== =============================================================
+*6*         *Squeeze*                  *0.9.4.1*                                |maybe| No known vulnerability                        *None*                                                       *February 2016*                     *April 2019*
+*7*         *Wheezy*                   *1.1.2*                                  |maybe| No known vulnerability                        *None*                                                       *May 2018*                          *June 2020*
+*8*         *Jessie*                   *1.3.3*                                  |maybe| CVE-2019-19791 tagged as minor                **None**  [1]_                                               *June 2020*                         *Possibly 2024*
+*9*         *Stretch*                  *1.9.7*                                  |maybe| CVE-2019-19791 tagged as minor                `Debian LTS Team <https://www.debian.org/lts/>`__            *June 2022*                         *Possibly 2024*
+**10**      Buster                     `2.0.2 </documentation/2.0/>`__          |clean| CVE-2019-19791 tagged as minor                `Debian Security Team <https://security-team.debian.org/>`__ June 2024                           Possibly 2026
+\           *Buster-backports*         `2.0.14 </documentation/2.0/>`__         |maybe|                                               *None*                                                       *September 2022*
+\           *Buster-backports-sloppy*  *Adds libauthen-webauthn-perl only*      |maybe|                                               *None*                                                       *September 2022*
+**11**      Bullseye                   `2.0.11 </documentation/2.0/>`__         |clean|                                               `Debian Security Team <https://security-team.debian.org/>`__ July 2026                           Possibly 2028
+\           Bullseye-backports         `2.0.14 </documentation/2.0/>`__         |clean|                                               LL::NG Team, "best effort" [3]_                              July 2024
+**Next**    Testing/Unstable           Latest  [5]_                             |clean|                                               LL::NG Team
+=========== ========================== ======================================== ===================================================== ============================================================ =================================== =============================================================
 
 See `Debian Security
 Tracker <https://security-tracker.debian.org/tracker/source-package/lemonldap-ng>`__
@@ -83,15 +80,16 @@ Ubuntu
    Ubuntu version are included in "universe" branch [8]_, so not really security maintained. Prefer to use our repositories or Debian ones
 
 =========== ============= ================================ ==================================================================== ===========
-Ubuntu dist               LLNG version                     Secured                                                              Maintenance
+Ubuntu dist               LL::NG version                     Secured                                                              Maintenance
 =========== ============= ================================ ==================================================================== ===========
 12.04       Precise       `1.1.2 </documentation/1.1/>`__  |maybe| No known vulnerability                                       None
 14.04       Trusty        `1.2.5 </documentation/1.2/>`__  |maybe| No known vulnerability                                       None
 16.04       Xenial  [9]_  `1.4.6 </documentation/1.4/>`__  |bad| CVE-2019-12046, CVE-2019-13031                                 None
 18.04       Bionic  [9]_  `1.9.16 </documentation/1.9/>`__ |bad| CVE-2019-12046, CVE-2019-13031, CVE-2020-24660                 None
-20.04       Focal  [9]_   `2.0.7 </documentation/2.0/>`__  |bad| CVE-2020-24660, CVE-2021-35472, CVE-2021-35473                 None
-20.10       Groovy        `2.0.8 </documentation/2.0/>`__  |bad| CVE-2020-24660, CVE-2021-35472, CVE-2021-35473                 None
-21.04       Hirsute       `2.0.11 </documentation/2.0/>`__ |bad| CVE-2021-35472, CVE-2021-35473                                 None
+20.04       Focal  [9]_   `2.0.7 </documentation/2.0/>`__  |bad| CVE-2020-24660, CVE-2021-35472, CVE-2021-35473, CVE-2021-40874 None
+20.10       Groovy        `2.0.8 </documentation/2.0/>`__  |bad| CVE-2020-24660, CVE-2021-35472, CVE-2021-35473, CVE-2021-40874 None
+21.04       Hirsute       `2.0.11 </documentation/2.0/>`__ |bad| CVE-2021-35472, CVE-2021-35473, CVE-2021-40874                 None
+22.04       Jammy         `2.0.13 </documentation/2.0/>`__ |bad| CVE-2021-40874                                                 None
 =========== ============= ================================ ==================================================================== ===========
 
 Bug report
@@ -108,7 +106,7 @@ Development
 -  `Source
    code <https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/tree/master>`__
 -  `Nightly trunk builds <http://lemonldap-ng.ow2.io/lemonldap-ng/>`__
-   *(for Debian or Ubuntu,*\ **really unstable**\ *)*
+   *(for Debian or Ubuntu, *\ **really unstable**\ *)*
 -  Git access:
 
 ::
@@ -139,19 +137,16 @@ Other
    Possible `Extended LTS <https://wiki.debian.org/LTS/Extended>`__
 
 .. [3]
-   updated by `LLNG Team </team>`__ until dependencies are compatible.
+   updated by `LL::NG Team </team>`__ until dependencies are compatible.
    Don't use backports unless you plan to update your system because
    backports are not covered by Debian Security Policy
 
-.. [4]
-   around July 2023
-
 .. [5]
    few days after release
 
 .. [8]
    Ubuntu universe/multiverse branches are community maintained *(so not
-   maintained by Canonical)*, but in fact nobody considers LLNG security
+   maintained by Canonical)*, but in fact nobody considers LL::NG security
    issues. See `this
    issue <https://bugs.launchpad.net/ubuntu/+source/lemonldap-ng/+bug/1829016>`__
    for example

doc/sources/admin/download.rst

@@ -1,107 +0,0 @@
-Download
-========
-
-Release notes
--------------
-
-Release notes for latest version:
-https://projects.ow2.org/view/lemonldap-ng/lemonldap-ng-2-0-9-is-out
-
-Go on https://projects.ow2.org/bin/view/lemonldap-ng/ for older
-versions.
-
-See also :doc:`upgrade notes<upgrade>`.
-
-Packages and archives
----------------------
-
-Stable version (2.0.9)
-~~~~~~~~~~~~~~~~~~~~~~
-
-Tarball
-^^^^^^^
-
--  `Tarball <https://release.ow2.org/lemonldap/lemonldap-ng-2.0.9.tar.gz>`__
-
-RPM
-^^^
-
-
-.. tip::
-
-    You can:
-    -  Use :ref:`our own YUM repository<installrpm-yum-repository>`.
-    -  Download them here and :ref:`install pre-required packages<prereq-yum>`.
-
-
-RHEL/CentOS 7
-'''''''''''''
-
--  `RPM
-   bundle <https://release.ow2.org/lemonldap/lemonldap-ng-2.0.9_el7.rpm.tar.gz>`__
--  `Source
-   RPM <https://release.ow2.org/lemonldap/lemonldap-ng-2.0.9-1.el7.src.rpm>`__
-
-RHEL/CentOS 8
-'''''''''''''
-
--  `RPM
-   bundle <https://release.ow2.org/lemonldap/lemonldap-ng-2.0.9_el8.rpm.tar.gz>`__
--  `Source
-   RPM <https://release.ow2.org/lemonldap/lemonldap-ng-2.0.9-1.el8.src.rpm>`__
-
-Debian
-^^^^^^
-
-
-.. tip::
-
-    You can:
-
-    -  Use
-       :ref:`packages provided by Debian<installdeb-official-repository>`.
-    -  Use
-       :ref:`our own Debian repository<installdeb-llng-repository>`.
-    -  Download them here and
-       :ref:`install pre-required packages<prereq-apt-get>`.
-
-
--  `DEB
-   bundle <https://release.ow2.org/lemonldap/lemonldap-ng-2.0.9_deb.tar.gz>`__
-
-Docker
-^^^^^^
-
-See https://hub.docker.com/r/coudot/lemonldap-ng/
-
-::
-
-   docker pull coudot/lemonldap-ng
-
-Nightly builds from master branch
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Debian repository of master branch, rebuilt every night:
-http://lemonldap-ng.ow2.io/lemonldap-ng/
-
-Older versions
-~~~~~~~~~~~~~~
-
-You can find all versions on `OW2
-releases <https://release.ow2.org/lemonldap/>`__.
-
-Contributions
--------------
-
-See https://github.com/LemonLDAPNG
-
-.. _download-getting-sources-from-svn-repository:
-
-Git repository
---------------
-
-See https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng
-
-::
-
-   git clone git@gitlab.ow2.org:lemonldap-ng/lemonldap-ng.git

doc/sources/admin/error.rst

@@ -4,8 +4,8 @@ Error messages
 
 .. note::
 
-    This page do not reference all error messages, but only the
-    most common
+    This page does not reference all error messages,
+    but only the most common ones
 
 Lemonldap::NG::Common
 ---------------------
@@ -14,7 +14,7 @@ Lemonldap::NG::Common
 
    Warning: key is not defined, set it in the manager !
 
-→ LemonLDAP::NG uses a key to crypt/decrypt some datas. You have to set
+→ LemonLDAP::NG uses a key to crypt/decrypt some data. You have to set
 its value in Manager. This message is displayed only when you upgrade
 from a version older than 1.0
 
@@ -140,3 +140,10 @@ set ``*`` in trustedDomains to accept all).
    XSS attack detected
 
 → Some URL parameters contain forbidden characters.
+
+::
+   
+   Detailled error codes list
+
+→ Corresponding error codes can be found in
+   :doc:`Portal error codes<error_codes>`

doc/sources/admin/error_codes.rst

@@ -0,0 +1,113 @@
+Error codes list
+================
+
+.. note::
+
+    This page references all Portal error codes.
+
+.. code-block:: perl
+
+  PE_IDPCHOICE                       => -5,
+  PE_SENDRESPONSE                      => -4,
+  PE_INFO                              => -3,
+  PE_REDIRECT                          => -2,
+  PE_DONE                              => -1,
+  PE_OK                                => 0,
+  PE_SESSIONEXPIRED                    => 1,
+  PE_FORMEMPTY                          => 2,
+  PE_WRONGMANAGERACCOUNT                => 3,
+  PE_USERNOTFOUND                      => 4,
+  PE_BADCREDENTIALS                     => 5,
+  PE_LDAPCONNECTFAILED                  => 6,
+  PE_LDAPERROR                         => 7,
+  PE_APACHESESSIONERROR                 => 8,
+  PE_FIRSTACCESS                        => 9,
+  PE_BADCERTIFICATE                    => 10,
+  PE_NO_PASSWORD_BE                    => 20,
+  PE_PP_ACCOUNT_LOCKED                 => 21,
+  PE_PP_PASSWORD_EXPIRED               => 22,
+  PE_CERTIFICATEREQUIRED               => 23,
+  PE_ERROR                             => 24,
+  PE_PP_CHANGE_AFTER_RESET             => 25,
+  PE_PP_PASSWORD_MOD_NOT_ALLOWED       => 26,
+  PE_PP_MUST_SUPPLY_OLD_PASSWORD       => 27,
+  PE_PP_INSUFFICIENT_PASSWORD_QUALITY  => 28,
+  PE_PP_PASSWORD_TOO_SHORT             => 29,
+  PE_PP_PASSWORD_TOO_YOUNG             => 30,
+  PE_PP_PASSWORD_IN_HISTORY            => 31,
+  PE_PP_GRACE                          => 32,
+  PE_PP_EXP_WARNING                    => 33,
+  PE_PASSWORD_MISMATCH                 => 34,
+  PE_PASSWORD_OK                       => 35,
+  PE_NOTIFICATION                      => 36,
+  PE_BADURL                            => 37,
+  PE_NOSCHEME                          => 38,
+  PE_BADOLDPASSWORD                    => 39,
+  PE_MALFORMEDUSER                     => 40,
+  PE_SESSIONNOTGRANTED                 => 41,
+  PE_CONFIRM                           => 42,
+  PE_MAILFORMEMPTY                     => 43,
+  PE_BADMAILTOKEN                      => 44,
+  PE_MAILERROR                         => 45,
+  PE_MAILOK                            => 46,
+  PE_LOGOUT_OK                         => 47,
+  PE_SAML_ERROR                        => 48,
+  PE_SAML_LOAD_SERVICE_ERROR           => 49,
+  PE_SAML_LOAD_IDP_ERROR               => 50,
+  PE_SAML_SSO_ERROR                    => 51,
+  PE_SAML_UNKNOWN_ENTITY               => 52,
+  PE_SAML_DESTINATION_ERROR            => 53,
+  PE_SAML_CONDITIONS_ERROR             => 54,
+  PE_SAML_IDPSSOINITIATED_NOTALLOWED   => 55,
+  PE_SAML_SLO_ERROR                    => 56,
+  PE_SAML_SIGNATURE_ERROR              => 57,
+  PE_SAML_ART_ERROR                    => 58,
+  PE_SAML_SESSION_ERROR                => 59,
+  PE_SAML_LOAD_SP_ERROR                => 60,
+  PE_SAML_ATTR_ERROR                   => 61,
+  PE_OPENID_EMPTY                      => 62,
+  PE_OPENID_BADID                      => 63,
+  PE_MISSINGREQATTR                    => 64,
+  PE_BADPARTNER                        => 65,
+  PE_MAILCONFIRMATION_ALREADY_SENT     => 66,
+  PE_PASSWORDFORMEMPTY                 => 67,
+  PE_CAS_SERVICE_NOT_ALLOWED           => 68,
+  PE_MAILFIRSTACCESS                   => 69,
+  PE_MAILNOTFOUND                      => 70,
+  PE_PASSWORDFIRSTACCESS               => 71,
+  PE_MAILCONFIRMOK                     => 72,
+  PE_RADIUSCONNECTFAILED               => 73,
+  PE_MUST_SUPPLY_OLD_PASSWORD          => 74,
+  PE_FORBIDDENIP                       => 75,
+  PE_CAPTCHAERROR                      => 76,
+  PE_CAPTCHAEMPTY                      => 77,
+  PE_REGISTERFIRSTACCESS               => 78,
+  PE_REGISTERFORMEMPTY                 => 79,
+  PE_REGISTERALREADYEXISTS             => 80,
+  PE_NOTOKEN                           => 81,
+  PE_TOKENEXPIRED                      => 82,
+  PE_U2FFAILED                         => 83,
+  PE_UNAUTHORIZEDPARTNER               => 84,
+  PE_RENEWSESSION                      => 85,
+  PE_WAIT                              => 86,
+  PE_MUSTAUTHN                         => 87,
+  PE_MUSTHAVEMAIL                      => 88,
+  PE_SAML_SERVICE_NOT_ALLOWED          => 89,
+  PE_OIDC_SERVICE_NOT_ALLOWED          => 90,
+  PE_OID_SERVICE_NOT_ALLOWED           => 91,
+  PE_GET_SERVICE_NOT_ALLOWED           => 92,
+  PE_IMPERSONATION_SERVICE_NOT_ALLOWED => 93,
+  PE_ISSUERMISSINGREQATTR              => 94,
+  PE_DECRYPTVALUE_SERVICE_NOT_ALLOWED  => 95,
+  PE_BADOTP                            => 96,
+  PE_RESETCERTIFICATE_INVALID          => 97,
+  PE_RESETCERTIFICATE_FORMEMPTY        => 98,
+  PE_RESETCERTIFICATE_FIRSTACCESS      => 99,
+  PE_PP_NOT_ALLOWED_CHARACTER          => 100,
+  PE_PP_NOT_ALLOWED_CHARACTERS         => 101,
+  PE_UPGRADESESSION                 => 102,
+  PE_NO_SECOND_FACTORS                 => 103,
+  PE_BAD_DEVOPS_FILE                   => 104,
+  PE_FILENOTFOUND                   => 105,
+  PE_OIDC_AUTH_ERROR                   => 106
+

doc/sources/admin/exportedvars.rst

@@ -45,19 +45,26 @@ module.
 Extend variables using macros and groups
 ----------------------------------------
 
-Macros and groups are calculated during authentication process by the
-portal:
+Macros and groups are computed during authentication process by the
+Portal:
 
 -  macros are used to extend (or rewrite)
    :doc:`exported variables<exportedvars>`. A macro is stored as
    attributes: it can contain boolean results or any string
--  macros can also be used to import environment variables *(these
+-  macros can also be used for importing environment variables *(these
    variables are in CGI format)*. Example: ``$ENV{HTTP_COOKIE}``
--  groups are stored as a string with values separated by ''; ''
-   (default values separator) in the special attribute ``groups``: it
-   contains the names of groups whose rules were returned true for the
+-  groups are stored as a string with values separated by '; '
+   (default multivalues separator) in the special attribute ``groups``: it
+   contains names of groups whose rules were returned true for the
    current user. For example:
 
+.. danger::
+
+    Macros can be used for rewriting or overloading exported variables
+    but it can lead to some side effects. Be aware of alphabetical order
+    and keep in mind that exported variables are set. Then macros and
+    groups are computed.
+
 .. code-block:: perl
 
    $groups = group3; admin

doc/sources/admin/extendedfunctions.rst

@@ -18,12 +18,12 @@ This is also true for:
 
 Inside this jail, you can access to:
 
-* all session values and CGI environment variables (through `$ENV{<HTTP_NAME>}`)
+* All session values and CGI environment variables (through `$ENV{<HTTP_NAME>}`)
 * Core Perl subroutines (split, pop, map, etc.)
 * :doc:`Custom functions<customfunctions>`
 * The `encode_base64 <http://perldoc.perl.org/MIME/Base64.html>`__ subroutine
 * Information about current request
-* Extended functions:
+* Extended functions except basic, iso2unicode and unicode2iso:
 
   * basic_
   * checkDate_
@@ -36,9 +36,11 @@ Inside this jail, you can access to:
   * inGroup_ (|new| in version 2.0.8)
   * isInNet6_
   * iso2unicode_
+  * iso2unicodeSafe_ (|new| in version 2.0.15)
   * listMatch_ (|new| in version 2.0.7)
   * token_
   * unicode2iso_
+  * unicode2isoSafe_ (|new| in version 2.0.15)
   * varIsInUri_ (|new| in version 2.0.7)
 
 
@@ -53,48 +55,71 @@ Inside this jail, you can access to:
 Extended Functions List
 -----------------------
 
-date
-~~~~
+basic
+~~~~~
 
-Returns the date, in format YYYYMMDDHHMMSS, local time by default, GMT
-by calling ``date(1)``
+.. attention::
 
-::
+    This function is not compliant with the :doc:`Safe jail<safejail>`,
+    you will have to disable the jail to use it.
 
-    For example: date(1) lt '19551018080000'
-  
-dateToTime
-~~~~~~~~~~
+This function builds the ``Authorization`` HTTP header employed in
+:doc:`HTTP Basic authentication scheme<applications/authbasic>`. It will
+convert `user` and `password` parameters from UTF-8 to ISO-8859-1.
 
-.. versionadded:: 2.0.12
+Functions parameters:
 
-Converts a string date into epoch time.
-
-The date format is the LDAP date syntax, for example for the 1st March
-2009 (GMT):
-
-::
-
-    20090301000000Z
-
-The date may end with a differential timezone that is interpreted to 
-adjust the epoch time, for example for the 1st March 2009 (+0100):
-
-::
-
-    20090301000000+0100
+-  **user**
+-  **password**
 
 Simple usage example:
 
 ::
 
-    dateToTime($ssoStartDate) lt dateToTime(date(1))
+   basic($uid,$_password)
+
+checkDate
+~~~~~~~~~
+
+This function checks date of current request, and compare it to
+a start date and an end date. It returns 1 if this matches, 0 else.
+
+
+The date format corresponds to LDAP date syntax, for example for the 1st of March
+2009 (GMT)
+
+::
+
+   20090301000000Z
+
+|new| Since version 2.0.12, the date may end with a differential timezone, 
+for example for the 1st of March 2009 (+0100):
+
+::
+
+    20090301000000+0100
+
+
+Functions parameters:
+
+-  **start**: Start date (GMT unless, |new| since version 2.0.12, a
+   differential timezone is included)
+-  **end**: End date (GMT unless, |new| since version 2.0.12, a
+   differential timezone is included)
+-  **default_access** (optional): Which result to return if **start** and
+   **end** dates are empty
+
+Simple usage example:
+
+::
+
+   checkDate($ssoStartDate, $ssoEndDate)
 
 checkLogonHours
 ~~~~~~~~~~~~~~~
 
-This function will check the day and the hour of current request, and
-compare it to allowed days and hours. It returns 1 if this match, 0
+This function checks the day and the hour of current request, and
+compare it to allowed days and hours. It returns 1 if matches, 0
 else. By default, the allowed days and hours is an hexadecimal
 value, representing each hour of the week. A day has 24 hours, and a
 week 7 days, so the value contains 168 bits, converted into 42
@@ -112,12 +137,12 @@ For example, for a full access, excepted week-end:
     You can use the binary value from the logonHours attribute of Active
     Directory, or create a custom attribute in your LDAP schema.
 
-Functions parameters:
+Function parameters:
 
--  **logon_hours**: string representing allowed logon hours (GMT)
+-  **logon_hours**: String representing allowed logon hours (GMT)
 -  **syntax** (optional): ``hexadecimal`` (default) or ``octetstring``
--  **time_correction** (optional): hours to add or to subtract
--  **default_access** (optional): what result to return if
+-  **time_correction** (optional): Hours to add or to subtract
+-  **default_access** (optional): Which result to return if
    **logon_hours** is empty
 
 Simple usage example:
@@ -156,113 +181,58 @@ rejected. You can allow these users instead of reject them:
 
    checkLogonHours($ssoLogonHours, '', '', '1')
 
+date
+~~~~
 
-checkDate
-~~~~~~~~~
-
-This function will check the date of current request, and compare it to
-a start date and an end date. It returns 1 if this match, 0 else.
-
-
-The date format is the LDAP date syntax, for example for the 1st of March
-2009 (GMT)
+Returns the date, in format YYYYMMDDHHMMSS, local time by default, GMT
+by calling ``date(1)``
 
 ::
 
-   20090301000000Z
+    For example: date(1) lt '19551018080000'
 
-|new| Since version 2.0.12, the date may end with a differential timezone, 
-for example for the 1st of March 2009 (+0100):
+dateToTime
+~~~~~~~~~~
+
+.. versionadded:: 2.0.12
+
+Used for converting a string date into epoch time.
+
+The date format is the LDAP date syntax, for example for the 1st March
+2009 (GMT):
+
+::
+
+    20090301000000Z
+
+The date may end with a differential timezone that is interpreted to 
+adjust the epoch time, for example for the 1st March 2009 (+0100):
 
 ::
 
     20090301000000+0100
 
-
-Functions parameters:
-
--  **start**: Start date (GMT unless, |new| since version 2.0.12, a
-   differential timezone is included)
--  **end**: End date (GMT unless, |new| since version 2.0.12, a
-   differential timezone is included)
--  **default_access** (optional): what result to return if **start** and
-   **end** are empty
-
 Simple usage example:
 
 ::
 
-   checkDate($ssoStartDate, $ssoEndDate)
+    dateToTime($ssoStartDate) lt dateToTime(date(1))
 
+encrypt
+~~~~~~~
 
-basic
-~~~~~
+.. tip::
 
-.. attention::
+    Since version 2.0, this function is now compliant with
+    :doc:`Safe jail<safejail>`.
 
-    This function is not compliant with
-    :doc:`Safe jail<safejail>`, you will need to disable the jail to use
-    it.
-
-This function builds the ``Authorization`` HTTP header used in
-:doc:`HTTP Basic authentication scheme<applications/authbasic>`. It will
-force conversion from UTF-8 to ISO-8859-1 of user and password data.
-
-Functions parameters:
-
--  **user**
--  **password**
-
-Simple usage example:
+This function uses the secret key of LL::NG configuration to crypt a data.
+This can be used for anonymizing identifier given to the protected
+application.
 
 ::
 
-   basic($uid,$_password)
-
-
-unicode2iso
-~~~~~~~~~~~
-
-
-.. attention::
-
-    This function is not compliant with
-    :doc:`Safe jail<safejail>`, you will need to disable the jail to use
-    it.
-
-This function convert a string from UTF-8 to ISO-8859-1.
-
-Functions parameters:
-
--  **string**
-
-Simple usage example:
-
-::
-
-   unicode2iso($name)
-
-iso2unicode
-~~~~~~~~~~~
-
-
-.. attention::
-
-    This function is not compliant with
-    :doc:`Safe jail<safejail>`, you will need to disable the jail to use
-    it.
-
-This function convert a string from ISO-8859-1 to UTF-8.
-
-Functions parameters:
-
--  **string**
-
-Simple usage example:
-
-::
-
-   iso2unicode($name)
+   encrypt($_whatToTrace)
 
 groupMatch
 ~~~~~~~~~~
@@ -290,11 +260,12 @@ has2f
 
 .. versionadded:: 2.0.10
 
-This function tests if the current user has registered a second factor. The following types are supported:
+This function tests if the current user has registered a second factor. The following types are supported out of the box:
 
 * :doc:`TOTP<totp2f>`
 * :doc:`U2F<u2f>`
 * :doc:`UBK<yubikey2f>`
+* :doc:`WebAuthn<webauthn2f>`
 
 Example::
 
@@ -316,6 +287,71 @@ Example::
 
       $_2fDevices =~ /"type":\s*"TOTP"/s
 
+inGroup
+~~~~~~~
+
+.. versionadded:: 2.0.8
+
+This function lets you test if the user is in a given group. It is
+case-insensitive.
+
+Usage example:
+
+::
+
+   inGroup('admins')
+
+   inGroup('test users')
+
+The function returns 1 if the user belongs to the given group, and 0 if
+they don't.
+
+isInNet6
+~~~~~~~~
+
+Function to check if an IPv6 address is in a subnet. Example *check if
+IP address is local*:
+
+.. code-block:: perl
+
+   isInNet6($ipAddr, 'fe80::/10')
+
+iso2unicode
+~~~~~~~~~~~
+
+.. attention::
+
+    This function is not compliant with :doc:`Safe jail<safejail>`.
+    You will have to disable the jail to use it.
+
+This function converts a string from ISO-8859-1 to UTF-8.
+
+Function parameter:
+
+-  **string**
+
+Simple usage example:
+
+::
+
+   iso2unicode($name)
+
+iso2unicodeSafe
+~~~~~~~~~~~~~~~
+
+This function converts a string from ISO-8859-1 to UTF-8
+but it is not as portable as the original one.
+
+Functions parameters:
+
+-  **string**
+
+Simple usage example:
+
+::
+
+   iso2unicodeSafe($name)
+
 .. _listMatch:
 
 listMatch
@@ -346,42 +382,6 @@ Simple usage example:
 The function returns 1 if the value was found, and 0 if it was not
 found.
 
-inGroup
-~~~~~~~
-
-.. versionadded:: 2.0.8
-
-This function lets you test if the user is in a given group. It is
-case-insensitive.
-
-Usage example:
-
-::
-
-   inGroup('admins')
-
-   inGroup('test users')
-
-The function returns 1 if the user belongs to the given group, and 0 if
-they don't.
-
-encrypt
-~~~~~~~
-
-
-.. tip::
-
-    Since version 2.0, this function is now compliant with
-    :doc:`Safe jail<safejail>`.
-
-This function uses the secret key of LLNG configuration to crypt a data.
-This can be used for anonymizing identifier given to the protected
-application.
-
-::
-
-   encrypt($_whatToTrace)
-
 token
 ~~~~~
 
@@ -392,16 +392,6 @@ This function generates token used for
 
    token($_session_id,'webapp1.example.com','webapp2.example.com')
 
-isInNet6
-~~~~~~~~
-
-Function to check if an IPv6 address is in a subnet. Example *check if
-IP address is local*:
-
-.. code-block:: perl
-
-   isInNet6($ipAddr, 'fe80::/10')
-
 varIsInUri
 ~~~~~~~~~~
 
@@ -433,3 +423,39 @@ Example *check if $uid is in /check-auth/ URI*:
    :width: 35px
 .. |image1| image:: /documentation/new.png
    :width: 35px
+
+unicode2iso
+~~~~~~~~~~~
+
+.. attention::
+
+    This function is not compliant with :doc:`Safe jail<safejail>`.
+    You will have to disable the jail to use it.
+
+This function convert a string from UTF-8 to ISO-8859-1.
+
+Function parameter:
+
+-  **string**
+
+Simple usage example:
+
+::
+
+   unicode2iso($name)
+
+unicode2isoSafe
+~~~~~~~~~~~~~~~
+
+This function convert a string from UTF-8 to ISO-8859-1
+but it is not as portable as the original one.
+
+Function parameter:
+
+-  **string**
+
+Simple usage example:
+
+::
+
+   unicode2isoSafe($name)

doc/sources/admin/external2f.rst

@@ -30,6 +30,9 @@ All parameters are configured in "General Parameters » Portal Parameters
    / Verification to an external provider. You must also use *$code*
    which is the value entered by user; Example:
    ``/usr/local/bin/verify --uid $uid --code $code``
+-  **Re-send interval**: Set this to a non-empty value to allow the user to
+   re-send the code in case a transmission error occured. The value sets how
+   many seconds the user has to wait before each attempt
 -  **Authentication level** (Optional): if you want to overwrite the
    value sent by your authentication module, you can define here the new
    authentication level. Example: 5

doc/sources/admin/fastcgiserver.rst

@@ -1,19 +1,19 @@
 LemonLDAP::NG FastCGI server
 ============================
 
-Since 1.9, Lemonldap::NG provides a FastCGI server usable to protect
+Since 1.9, LL::NG provides a FastCGI server that can be used for protecting
 applications with Nginx (See
-:doc:`Manage virtual hosts<configvhost>` page to
-configure virtual hosts).
+:doc:`Manage virtual hosts<configvhost>` page to configure virtual hosts)
+or the DevOps Handler (See :doc:`SSO as a Service<ssoaas>`).
 
-This FastCGI server can be used for all LLNG components. It compiles
-enabled components on-the-fly.
+This FastCGI server can be implemented for all LL::NG components.
+It compiles enabled components just-in-time.
 
 Start
 -----
 
-Using packages
-~~~~~~~~~~~~~~
+Using package
+~~~~~~~~~~~~~
 
 You just have to install lemonldap-ng-fastcgi-server package, it will be
 started automatically.
@@ -32,15 +32,18 @@ Configuration
 FastCGI server has few parameters. They can be set by environment
 variables (read by startup script) or by command line options. A default
 configuration file can be found in
-``/usr/local/lemonlda-ng/etc/default/llng-fastcgi-server`` (or
+``/usr/local/lemonldap-ng/etc/default/llng-fastcgi-server`` (or
 ``/etc/default/lemonldap-ng-fastcgi-server`` in Debian package).
 
 The FastCGI server reads also ``LLTYPE`` parameter in FastCGI requests
 (see portal-nginx.conf or manager-nginx.conf) to choose which module is
 called:
 
--  ``cgi`` for the portal (or any CGI: it works like PHP-FPM for Perl !)
+-  ``cgi`` to run .cgi scripts in FastCGI compatibility mode
+-  ``psgi`` ro run .psgi scripts under FastCGI
 -  ``manager`` for the manager
+-  ``handler`` for the handler
+-  ``portal`` for the portal
 -  ``status`` to see statistics (if enabled)
 
 if ``LLTYPE`` is set to another value or not set, FastCGI server works

doc/sources/admin/features.rst

@@ -28,11 +28,13 @@ Unifying authentications (Identity Federation)
 
 LL::NG can easily exchange with other authentication systems by using
 SAML, OpenID or CAS protocoles. It may be the backbone of a
-heterogeneous architecture. LL:NG can be set as Identity provider,
+heterogeneous architecture.
+
+LL:NG can be set as Identity provider,
 Service Provider or Protocol Proxy
 (:doc:`LL::NG as federation protocol proxy<federationproxy>`).
 
-Its SOAP API can also be used to dialogue directly with your custom
+Its REST / SOAP API can also be used to dialogue directly with your custom
 applications.
 
 Sessions
@@ -48,8 +50,7 @@ opened sessions:
 
 -  by users
 -  by IP *(IPv4 and IPv6)*
--  by double IP (sessions opened by the same user from multiple
-   computers)
+-  by double IP (sessions opened by the same user from multiple computers)
 -  by date
 
 It can be used to delete a session
@@ -59,9 +60,8 @@ It can be used to delete a session
 Session restrictions
 ~~~~~~~~~~~~~~~~~~~~
 
-By default, a user can open several
-:doc:`sessions<sessions>`. LL::NG can restrict
-the following:
+By default, a user can open several :doc:`sessions<sessions>`.
+LL::NG can restrict the following:
 
 -  Allow only one session per user
 -  Allow only one IP address per user
@@ -72,17 +72,17 @@ Those capabilities can be used simultaneously or separately.
 Double cookie
 ~~~~~~~~~~~~~
 
-LL::NG can be configured to provides
-:doc:`2 cookies<ssocookie>`:
+LL::NG can be configured to provides :doc:`2 cookies<ssocookie>`:
 
 -  one secured (SSL only) for sensitive applications
 -  one unsecured for other applications
 
 So that if the http cookie is stolen, sensitive applications remain secured.
 
+
 Notifications
 -------------
 
 LL::NG can be used to notify users with a message when authenticating. This can be used to
-inform of a change in access rights, the publication of a new IT charter, etc. (See
-:doc:`notifications<notifications>` for more details)
+inform of a change in access rights, the publication of a new IT charter, etc...
+(See :doc:`notifications<notifications>` for more details)

doc/sources/admin/federationproxy.rst

@@ -1,8 +1,7 @@
 LL::NG as federation protocol proxy
 ===================================
 
-LL::NG can use federation protocols (SAML, CAS, OpenID) independently
-to:
+LL::NG can use federation protocols (SAML, CAS, OpenID) independently to:
 
 -  authenticate users
 -  provide identities to other systems
@@ -11,7 +10,7 @@ So you can configure it to authenticate users using a federation
 protocol and simultaneously to provide identities using other(s)
 federation protocols.
 
-Schemes tested:
+Tested schemes:
 
 -  SAML / OpenID-Connect:
 
@@ -30,8 +29,8 @@ Schemes tested:
       :doc:`CAS<idpcas>`/:doc:`SAML<authsaml>` proxy **<=>** SAML
       Identity Provider
 
-Note that OpenID-Connect consortium hasn't already defined single-logout
-initiated by OpenID-Connect Provider. LLNG will implement it when this
+Note that OpenID-Connect consortium has not already defined single-logout
+initiated by OpenID-Connect Provider. LL::NG will implement it when this
 standard will be published.
 
 

doc/sources/admin/formreplay.rst

@@ -22,7 +22,7 @@ anything to the user.
 
 If you configure form replay with LL::NG, the Handler will detect forms
 to fill, add a javascript in the html page to fill form fields with
-dummy datas and submit it, then intercept the POST request and add POST
+dummy data and submit it, then intercept the POST request and add POST
 data in the request body.
 
 POST data can be static values or computed from user's session.
@@ -76,8 +76,8 @@ For example:
    -  postmail: $mail
    -  poststatic: 'static'
 
-Go in Manager, "Virtual Hosts" » *virtualhost* » "Form replay" and click
-on "New form replay".
+Go in Manager, ``Virtual Hosts`` » ``virtualhost`` » ``Form replay`` and click
+on ``New form replay``.
 
 |image0|
 

doc/sources/admin/handlerarch.rst

@@ -25,7 +25,7 @@ Plack servers protection or Nginx/\ :doc:`SSOaaS<ssoaas>` FastCGI/uWSGI server S
 Types are:
 
 -  *(Main)*: link between Main and platform
--  :doc:`AuthBasic<handlerauthbasic>`
+-  :doc:`AuthBasic<authbasichandler>`
 -  :doc:`CDA<cda>`
 -  :doc:`DevOps<devopshandler>`
 -  :doc:`DevOps+ServiceToken<devopssthandler>`