Please apply general caution as you would with any software: have backups and a rollback plan ready!
Danger
If you have
installed LemonLDAP::NG from official RPMs, you may
run into bug
#1757
and lose your Apache configuration files while updating from
LemonLDAP::NG 2.0.0 or 2.0.1 to later versions. Please backup your
/etc/httpd/conf.d/z-lemonldap-ng-*.conf
files before the
update.
$_oidcConsents && $_oidcConsents =~ /\w+/
text/xml
instead of application/xml
as the MIME Content Type, as required by the SOAP standard5, 15, 60, 300, 600
This release fixes several issues related to the change in SameSite cookie
policy for Google Chrome users. The new default value of the SameSite
configuration parameter will set SameSite to Lax
unless you are using SAML,
in which case it will be set to None
.
This means that from now on, any LemonLDAP::NG installation using SAML must be
served over HTTPS, as SameSite None
value requires the Secure
flag in cookie.
The default config/session cache directory has been moved from /tmp
to
/var/cache/lemonldap-ng
in order to avoid issues with cache purges when using
Systemd. This change is only applied to new installations. If your
installation is experiencing cache purge issues, you need to manually change
your existing localSessionStorageOptions/cache_root
parameter from /tmp
to /var/cache/lemonldap-ng
. Be sure to create this directory on your
file system before modifying your configuration.
We discovered a vulnerability that affects LemonLDAP::NG installations when ALL of the following criteria apply:
Note
You are safe from this vulnerability if your virtualhost only uses a regexp-based rule to trigger logout
If you are in this situation, you need to modify all your handler-protected virtualhosts by making the following change:
Replace fastcgi_param X_ORIGINAL_URI $request_uri
by fastcgi_param X_ORIGINAL_URI $original_uri
if you are using FastCGI
Replace uwsgi_param X_ORIGINAL_URI $request_uri
by uwsgi_param X_ORIGINAL_URI $original_uri
if you are using uWSGI
Right after auth_request /lmauth;
, add the following line
set $original_uri $uri$is_args$args;
You can check the Manage virtual hosts page for more information
LDAP server certificates were previously not verified by default when using secure transports (LDAPS or TLS), see CVE-2020-16093. Starting from this release, certificate validation is now enabled by default, including on existing installations.
If you have configured your CA certificates incorrectly, LemonLDAP::NG will now start complaining about invalid certificates. You may temporarily disable it again with the following command
/your/path/to/lemonldap-ng-cli set ldapVerify none
If you use LDAP as a configuration storage, and want to temporarily disable certificate validation, you must make the following addition to /etc/lemonldap-ng/lemonldap-ng.ini
[configuration]
...
ldapVerify = none
If you use LDAP as a session backend, you are strongly encouraged to also upgrade corresponding Apache::Session
modules (Apache::Session::LDAP
or Apache::Session::Browseable
). After this upgrade, if you want to temporarily disable certificate validation, you can add the following parameter to the list of Apache::Session module options:
ldapVerify
none
Please note that it is HIGHLY recommended to set certificate validation to require when contacting LDAP servers over a secure transport to avoid man-in-the-middle attacks.
singleSessionUserByIP
was removed, see
#2159FcgidMaxRequestsPerProcess 500
in portal
virtual hostPM_MAX_REQUESTS=500
in
llng-fastcgi-server service configurationSameSite
value: to avoid problems with recent browsers,
SAML POST binding, LLNG cookies are now tagged as
“SameSite=None”. You can change this value using manager,
“SameSite=Lax” is best for installations without federations.
Important note: if you’re using an unsecured connection (http://
instead of https://), “SameSite=None” will be ignored by browsers
and users that already have a valid session might be prompted to
login again.AH01630: client denied by server configuration: /usr/share/lemonldap-ng/manager/api/api.fcgi
when trying to access the portal. It probably comes from incorrect Apache configuration. Remove the (optional and disabled by default) manager API config:
rm /etc/httpd/conf.d/z-lemonldap-ng-api.conf && systemctl reload httpd
Lemonldap/NG/Common/PSGI/Request.pm
, Apache rewrite rule must
be updated to avoid an unprotected access to REST services:portal-apache2.conf
RewriteCond "%{REQUEST_URI}" "!^/(?:(?:static|javascript|favicon).*|.*\.fcgi(?:/.*)?)$"
RewriteRule "^/(.+)$" "/index.fcgi/$1" [PT]
manager-apache2.conf
RewriteCond "%{REQUEST_URI}" "!^/(?:static|doc|lib|javascript|favicon).*"
RewriteRule "^/(.+)$" "/manager.fcgi/$1" [PT]
checkTime
was enabled by default in
lemonldap-ng.ini
, this let the portal check the configuration
immediately instead of waiting for configuration cache expiration.
You can keep this option enabled unless you need strong
performances.samlIdPResolveCookie
$_auth eq 'SAML' ? lc($_user.'@'.$_idpConfKey) : $_auth eq 'OpenIDConnect' ? lc($_user.'@'.$_oidc_OP) : lc($_user)
yum install -y urw-base35-fonts-legacy
sed 's,/usr/share/fonts/default/Type1/,/usr/share/X11/fonts/urw-fonts/,g' -i /etc/ImageMagick/type-ghostscript.xml