Please apply general caution as you would with any software: have backups and a rollback plan ready!
Danger
If you have
installed LemonLDAP::NG from official RPMs, you may
run into bug
#1757
and lose your Apache configuration files while updating from
LemonLDAP::NG 2.0.0 or 2.0.1 to later versions. Please backup your
/etc/httpd/conf.d/z-lemonldap-ng-*.conf
files before the
update.
$_oidcConsents && $_oidcConsents =~ /\w+/
text/xml
instead of application/xml
as the MIME Content Type, as required by the SOAP standard5, 15, 60, 300, 600
This release fixes several issues related to the change in SameSite cookie
policy for Google Chrome users. The new default value of the SameSite
configuration parameter will set SameSite to Lax
unless you are using SAML,
in which case it will be set to None
.
This means that from now on, any LemonLDAP::NG installation using SAML must be
served over HTTPS, as SameSite None
value requires the Secure
flag in cookie.
The default config/session cache directory has been moved from /tmp
to
/var/cache/lemonldap-ng
in order to avoid issues with cache purges when using
Systemd. This change is only applied to new installations. If your
installation is experiencing cache purge issues, you need to manually change
your existing localSessionStorageOptions/cache_root
parameter from /tmp
to /var/cache/lemonldap-ng
. Be sure to create this directory on your
file system before modifying your configuration.
We discovered a vulnerability that affects LemonLDAP::NG installations when ALL of the following criteria apply:
Note
You are safe from this vulnerability if your virtualhost only uses a regexp-based rule to trigger logout
If you are in this situation, you need to modify all your handler-protected virtualhosts by making the following change:
Replace fastcgi_param X_ORIGINAL_URI $request_uri
by fastcgi_param X_ORIGINAL_URI $original_uri
if you are using FastCGI
Replace uwsgi_param X_ORIGINAL_URI $request_uri
by uwsgi_param X_ORIGINAL_URI $original_uri
if you are using uWSGI
Right after auth_request /lmauth;
, add the following line
set $original_uri $uri$is_args$args;
You can check the Manage virtual hosts page for more information
LDAP server certificates were previously not verified by default when using secure transports (LDAPS or TLS), see CVE-2020-16093. Starting from this release, certificate validation is now enabled by default, including on existing installations.
If you have configured your CA certificates incorrectly, LemonLDAP::NG will now start complaining about invalid certificates. You may temporarily disable it again with the following command
/your/path/to/lemonldap-ng-cli set ldapVerify none
If you use LDAP as a configuration storage, and want to temporarily disable certificate validation, you must make the following addition to /etc/lemonldap-ng/lemonldap-ng.ini
[configuration]
...
ldapVerify = none
If you use LDAP as a session backend, you are strongly encouraged to also upgrade corresponding Apache::Session
modules (Apache::Session::LDAP
or Apache::Session::Browseable
). After this upgrade, if you want to temporarily disable certificate validation, you can add the following parameter to the list of Apache::Session module options:
ldapVerify
none
Please note that it is HIGHLY recommended to set certificate validation to require when contacting LDAP servers over a secure transport to avoid man-in-the-middle attacks.
singleSessionUserByIP
was removed, see
#2159FcgidMaxRequestsPerProcess 500
in portal
virtual hostPM_MAX_REQUESTS=500
in
llng-fastcgi-server service configurationSameSite
value: to avoid problems with recent browsers,
SAML POST binding, LLNG cookies are now tagged as
“SameSite=None”. You can change this value using manager,
“SameSite=Lax” is best for installations without federations.
Important note: if you’re using an unsecured connection (http://
instead of https://), “SameSite=None” will be ignored by browsers
and users that already have a valid session might be prompted to
login again.AH01630: client denied by server configuration: /usr/share/lemonldap-ng/manager/api/api.fcgi
when trying to access the portal. It probably comes from incorrect Apache configuration. Remove the (optional and disabled by default) manager API config:
rm /etc/httpd/conf.d/z-lemonldap-ng-api.conf && systemctl reload httpd
Lemonldap/NG/Common/PSGI/Request.pm
, Apache rewrite rule must
be updated to avoid an unprotected access to REST services:portal-apache2.conf
RewriteCond "%{REQUEST_URI}" "!^/(?:(?:static|javascript|favicon).*|.*\.fcgi(?:/.*)?)$"
RewriteRule "^/(.+)$" "/index.fcgi/$1" [PT]
manager-apache2.conf
RewriteCond "%{REQUEST_URI}" "!^/(?:static|doc|lib|javascript|favicon).*"
RewriteRule "^/(.+)$" "/manager.fcgi/$1" [PT]
checkTime
was enabled by default in
lemonldap-ng.ini
, this let the portal check the configuration
immediately instead of waiting for configuration cache expiration.
You can keep this option enabled unless you need strong
performances.samlIdPResolveCookie
$_auth eq 'SAML' ? lc($_user.'@'.$_idpConfKey) : $_auth eq 'OpenIDConnect' ? lc($_user.'@'.$_oidc_OP) : lc($_user)
yum install -y urw-base35-fonts-legacy
sed 's,/usr/share/fonts/default/Type1/,/usr/share/X11/fonts/urw-fonts/,g' -i /etc/ImageMagick/type-ghostscript.xml
Attention
2.0 is a major release, lot of things have been changed. You must read this document before upgrade.
As usual, if you use more than 1 server and don’t want to stop SSO service AND IF YOU HAVE NO INCOMPATIBILITY MENTIONED IN THIS DOCUMENT, upgrade must be done in the following order:
Attention
You must revalidate your configuration using the manager.
Attention
French documentation is no more available. Only English version of this documentation is maintained now.
This release of LL::NG requires these minimal versions of GNU/Linux distributions:
For SAML features, we require at least Lasso 2.5 and we recommend Lasso 2.6.
/usr/share/lemonldap-ng/portal/templates
.
See skin customization to
adapt your templates.mailUrl => 'http://auth.example.com/resetpwd',
registerUrl => 'http://auth.example.com/register',
trustedProxies
was removed, you must now configure your
Web Server to manage X-Forwarded-For
header, see
how to run LL::NG behind a reverse proxy.Attention
Apache mod_perl has got lot of troubleshooting problems since 2.4 version (many segfaults,…), especially when using MPM worker or MPM event. That’s why LL::NG doesn’t use anymore ModPerl::Registry: all is now handled by FastCGI (portal and manager), except for Apache2 Handler.
For Handlers, it is now recommended to migrate to Nginx, but Apache 2.4 is still supported with MPM prefork.
Now portal has the same behavior than handlers: it looks to configuration stored in local cache every 10 minutes. So it has to be reload like every handler.
Attention
If you want to use reload mechanism on a portal only
host, you must install a handler in Portal host to be able to refresh
local cache. Include handler-nginx.conf
or handler-apache2.conf
for example
Now LDAP connections are kept open to improve performances. To allow that, LL::NG requires an anonymous access to LDAP RootDSE entry to check connection.
lemonldap-ng.ini
file
only. If you use Syslog, you must reconfigure it. See
logs for more.LLNG portal now embeds the following features:
Before 2.0, an Ajax query launched after session timeout received a 302
code. Now a 401 HTTP code is returned. WWW-Authenticate
header
contains: SSO <portal-URL>
Attention
AuthBasic Handler uses now REST services instead of SOAP.
CAS authentication module no more use perl CAS client, but our own code. You can now define several CAS servers in a specific branch in Manager, like you can define several SAML or OpenID Connect providers.
CAS issuer module has also been improved, you must modify the configuration of CAS clients to move them from virtual host branch to CAS client branch.
Portal has now many REST features and includes an API plugin. See Portal manpages to learn how to write auth modules, issuers or other features.
Portal is no more a single CGI object. Since 2.0, It is based on Plack/PSGI and Mouse modules. Little resume
Portal object
|
+-> auth module
|
+-> userDB module
|
+-> issuer modules
|
+-> other plugins (notification,...)
Requests are independent objects based on Lemonldap::NG::Portal::Main::Request which inherits from Lemonldap::NG::Common::PSGI::Request which inherits from Plack::Request. See manpages for more.
Handler libraries have been totally rewritten. If you’ve made custom handlers, they must be rewritten, see customhandlers.
If you used self protected CGI, you also need to rewrite them, see documentation.