LemonLDAP::NG 2.0.10 is out!
Security
A vulnerability affecting LemonLDAP::NG installations has been found out when ALL following criteria apply:
- Your handler server uses Nginx
- Your virtual host configuration contains per-URL skip or unprotect access rule
In this situation, you have to update your LUA configuration file like /etc/nginx/nginx-lua-headers.conf. See also issue 2434.
Other minor security fixes:
- It is now possible to hide sessions identifier in Manager (parameter displaySessionId). See also issue 2350.
- Second factor management by end user now requires safer conditions. See also issue 2332, issue 2337 and issue 2338.
New features
Combination Password module
Password change is now working with Combination module. This allows for example to configure authentication on several LDAP backends and let users change their password in the appropriate backend.
A specific macro can be set to force the password backend, which can be useful when using SASL delegation.
Learn more on https://lemonldap-ng.org/documentation/latest/authcombination.html#password-management
Adaptative Authentication
A new plugin was introduced and allows to increment or decrement authentication level depending on authentication context (IP range, device, date and time, ...). Associated to session upgrade with 2FA, you can now require a second factor to access some applications, but only for users connecting from external network. A lot of other use cases are also possible!
Learn more on https://lemonldap-ng.org/documentation/latest/adaptativeauthenticationlevel.html and https://lemonldap-ng.org/documentation/latest/secondfactor.html#session-upgrade-through-2fa
SAML signatures
SHA256 is now the default signature method (instead of SHA1), SHA384 and SHA512 methods are also available. This method can be configured for each provider, so you can switch back to SHA1 if you have a federation with an old software.
Another improvement for SAML configuration: when creating new SAML keys, the public key is directly encapsulated inside an X509 certificate. This format is often the only one accepted by SAML partners.
Learn more on https://lemonldap-ng.org/documentation/latest/samlservice.html
Kerberos domain whitelist
When using Kerberos authentication, a domain whitelist can be configured.
Learn more on https://lemonldap-ng.org/documentation/latest/authkerberos.html
Plugin engine for Issuers
It is now possible to add hooks on specific OIDC and SAML requests processing steps.
For example, to alter the OIDC ID Token returned to a Relying party:
use constant hook => {
oidcGenerateIDToken => 'addClaimToIDToken',
};
sub addClaimToIDToken {
my ( $self, $req, $payload, $rp ) = @_;
$payload->{"id_token_hook"} = 1;
return PE_OK;
}
Learn more on https://lemonldap-ng.org/documentation/latest/hooks.html
OpenID Connect claims
Claims type can be configured, to force them as int, string or boolean, and also if they should be displayed as an array or not.
This fixes an issue with Mattermost configuration, which requires the id claim to be an integer.
Learn more on https://lemonldap-ng.org/documentation/latest/idpopenidconnect.html#openid-connect-claims and https://lemonldap-ng.org/documentation/latest/applications/mattermost.html
Changelog
Download
Credits
They made this release:
- Core team: Maxime Besson, Xavier Guimard, Christophe Maudoux and Clément Oudot
- Organizations : Gendarmerie Nationale, Worteks, CNAMTS, Orange, FER Genève, Communauté Urbaine de Caen la Mer
- Community (issues opening, tests, patches, pull requests) : Nicolas B., Daniel Berteaud, David Coutadeur, Paul Curie, Andreas Deschka, Dominique Fournier, Antoine Gallavardin, Alexandre Karim, Matthieu Lamalle, Tuan Le Cong, Julien Ledoux, Vincent Mazenod, pgnd, Nicolas R, Ross Steiner, Andy Tan, Aurelien Tisne
If you use LemonLDAP::NG and enjoy it, please let us know: