Upgrade from 1.9 to 2.0

As usual, if you use more than 1 server and don't want to stop SSO service AND IF YOU HAVE NO INCOMPATIBILITY MENTIONED IN THIS DOCUMENT, upgrade must be done in the following order:

1. servers with handlers only;
2. portal servers (all together if your load balancer is stateless (user or client IP) and if users use the menu);
3. manager server

This release of LL::NG requires these minimal versions of GNU/Linux distributions:

• Debian 9 (stretch)
• Ubuntu 16.04 LTS
• CentOS 7
• RHEL 7

For SAML features, we require at least Lasso 2.5 and we recommend Lasso 2.6.

• User module in authentication parameters now provides a “Same as authentication” value. You must revalidate it in the manager since all special values must be replaced by this (Multi, Choice, Proxy, Slave, SAML, OpenID*,…)
• “Multi” doesn't exist anymore: it is replaced by Combination, a more powerful module.
• Apache and Nginx configurations must be updated to use FastCGI portal
• URLs for mail reset and register pages have changed, you must update configuration parameters. For example:

  mailUrl => 'http://auth.example.com/resetpwd',
  registerUrl => 'http://auth.example.com/register',

Now portal has the same behavior than handlers: it looks to configuration stored in local cache every 10 minutes. So it has to be reload like every handler.

Now LDAP connections are kept open to improve performances. To allow that, LL::NG requires an anonymous access to LDAP RootDSE entry to check connection.

• A new Kerberos authentication backend has been added since 2.0. This module solves many Kerberos integration problems (usage in conjunction with other backends, better error display,…). However, you can retain the old integration manner (using Apache authentication module).
• For SSL, a new Ajax option can be used in the same idea: so SSL can be used in conjunction with other backends.

• Syslog: logs are now configured in lemonldap-ng.ini file only. If you use Syslog, you must reconfigure it. See logs for more.
• Apache2: Portal doesn't use anymore Apache2 logger. Logs are always written to Apache error.log but Apache “LogLevel” parameter has no more effect on it. Portal is now a FastCGI application and doesn't use anymore ModPerl. See logs for more.

LLNG portal now embeds the following features:

• CSRF protection (Cross-Site Request Forgery): a token is build for each form. To disable it, set requireToken to 0 (portal security parameters in the manager)
• Content-Security-Policy header: portal build dynamically this header. You can modify default values in the manager (Général parameters » Advanced parameters » Security » Content-Security-Policy)

• Apache only:
  • Apache handler is now Lemonldap::NG::Handler::ApacheMP2 and Menu is now Lemonldap::NG::Handler::ApacheMP2::Menu
  • because of an Apache behaviour change, PerlHeaderParserHandler must no more be used with “reload” URLs (replaced by PerlResponseHandler). Any “reload url” that are inside a protected vhost must be unprotected in vhost rules (protection has to be done by web server configuration).
• CDA, ZimbraPreAuth, SecureToken and AuthBasic are now Handler Types. So there is no more special file to load: you just have to choose “VirtualHost type” in the manager/VirtualHosts.
• SSOCookie: Since Firefox 60 and Chrome 68, “+2d, +5M, 12h and so on…” cookie expiration time notation is no more supported. CookieExpiration value is a number of seconds until the cookie expires. A zero or negative number will expire the cookie immediately.

• hostname() and remote_ip() are no more provided to avoid some name conflicts (replaced by $ENV{})
• $ENV{<cgi_variable>} is now available everywhere: see Writing rules and headers
• some variable names have changed. See variables document

• Apache-1.3 files are not provided now. You can build them yourself by looking at Apache-2 configuration files

Before 2.0, an Ajax query launched after session timeout received a 302 code. Now a 401 HTTP code is returned. WWW-Authenticate header contains: SSO <portal-URL>

• SOAP server activation is now split in 2 parameters (configuration/sessions). You must set them else SOAP service will be disabled
• Notifications are now REST/JSON by default. You can force old format in the manager. Note that SOAP proxy has changed: http://portal/notifications now.
• If you use “adminSessions” endpoint with “singleSession*” features, you must upgrade all portals simultaneously
• SOAP services can be replaced by new REST services

Portal has now many REST features and includes an API plugin. See Portal manpages to learn how to write auth modules, issuers or other features.

Portal is no more a single CGI object. Since 2.0, It is based on Plack/PSGI and Mouse modules. Little resume

Portal object
  |
  +-> auth module
  |
  +-> userDB module
  |
  +-> issuer modules
  |
  +-> other plugins (notification,...)

Requests are independant objects based on Lemonldap::NG::Portal::Main::Request which inherits from Lemonldap::NG::Common::PSGI::Request which inherits from Plack::Request. See manpages for more.

Handler libraries have been totally rewritten. If you've made custom handlers, they must be rewritten, see customhandlers.

If you used self protected CGI, you also need to rewrite them, see documentation.