Cookie issues with Chrome
This release fixes several issues related to the change in SameSite cookie
policy for Google Chrome users. The new default value of the SameSite
configuration parameter will set SameSite to Lax
unless you are using SAML,
in which case it will be set to None
.
This means that from now on, any LemonLDAP::NG installation using SAML must be
served over HTTPS, as SameSite None
value requires the Secure
flag in cookie.
Change in default cache directory
The default config/session cache directory has been moved from /tmp
to
/var/cache/lemonldap-ng
in order to avoid issues with cache purges when using
Systemd. This change is only applied to new installations. If your
installation is experiencing cache purge issues, you need to manually change
your existing localSessionStorageOptions/cache_root
parameter from /tmp
to /var/cache/lemonldap-ng
. Be sure to create this directory on your
file system before modifying your configuration.
If you are using SELinux, you also need to run the following commands
semanage fcontext --add -t httpd_cache_t -f a '/var/cache/lemonldap-ng(/.*)?'
restorecon -R /var/cache/lemonldap-ng/
Required changes in NGINX handler rules (CVE-2020-24660)
We discovered a vulnerability that affects LemonLDAP::NG installations when ALL of the following criteria apply:
- You are using the LemonLDAP::NG Handler to protect applications
- Your handler server uses Nginx
- Your virtual host configuration contains per-URL access rules based on
regular expressions in addition to the built-in default access rule.
Note
You are safe from this vulnerability if your virtualhost only uses a regexp-based rule to trigger logout
If you are in this situation, you need to modify all your handler-protected
virtualhosts by making the following change:
Replace fastcgi_param X_ORIGINAL_URI $request_uri
by fastcgi_param X_ORIGINAL_URI $original_uri
if you are using FastCGI
Replace uwsgi_param X_ORIGINAL_URI $request_uri
by uwsgi_param X_ORIGINAL_URI $original_uri
if you are using uWSGI
Right after auth_request /lmauth;
, add the following line
set $original_uri $uri$is_args$args;
You can check the Manage virtual hosts page for more information
LDAP certificate validation (CVE-2020-16093)
LDAP server certificates were previously not verified by default when using secure transports (LDAPS or TLS), see CVE-2020-16093. Starting from this release, certificate validation is now enabled by default, including on existing installations.
If you have configured your CA certificates incorrectly, LemonLDAP::NG will now start complaining about invalid certificates. You may temporarily disable it again with the following command
/your/path/to/lemonldap-ng-cli set ldapVerify none
If you use LDAP as a configuration storage, and want to temporarily disable certificate validation, you must make the following addition to /etc/lemonldap-ng/lemonldap-ng.ini
[configuration]
...
ldapVerify = none
If you use LDAP as a session backend, you are strongly encouraged to also upgrade corresponding Apache::Session
modules (Apache::Session::LDAP
or Apache::Session::Browseable
). After this upgrade, if you want to temporarily disable certificate validation, you can add the following parameter to the list of Apache::Session module options:
- key:
ldapVerify
- value:
none
Please note that it is HIGHLY recommended to set certificate validation to require when contacting LDAP servers over a secure transport to avoid man-in-the-middle attacks.