LemonLDAP::NG 2.0.10 is out!

Please follow all upgrade notes if you are upgrading from another version.


A vulnerability affecting LemonLDAP::NG installations has been found out when ALL following criteria apply:

  • Your handler server uses Nginx
  • Your virtual host configuration contains per-URL skip or unprotect access rule

In this situation, you have to update your LUA configuration file like /etc/nginx/nginx-lua-headers.conf. See also issue 2434.

Other minor security fixes:

  • It is now possible to hide sessions identifier in Manager (parameter displaySessionId). See also issue 2350.
  • Second factor management by end user now requires safer conditions. See also issue 2332, issue 2337 and issue 2338.

New features

Combination Password module

Password change is now working with Combination module. This allows for example to configure authentication on several LDAP backends and let users change their password in the appropriate backend.

A specific macro can be set to force the password backend, which can be useful when using SASL delegation.

Learn more on https://lemonldap-ng.org/documentation/latest/authcombination.html#password-management

Adaptative Authentication

A new plugin was introduced and allows to increment or decrement authentication level depending on authentication context (IP range, device, date and time, ...). Associated to session upgrade with 2FA, you can now require a second factor to access some applications, but only for users connecting from external network. A lot of other use cases are also possible!

Learn more on https://lemonldap-ng.org/documentation/latest/adaptativeauthenticationlevel.html and https://lemonldap-ng.org/documentation/latest/secondfactor.html#session-upgrade-through-2fa

SAML signatures

SHA256 is now the default signature method (instead of SHA1), SHA384 and SHA512 methods are also available. This method can be configured for each provider, so you can switch back to SHA1 if you have a federation with an old software.

Another improvement for SAML configuration: when creating new SAML keys, the public key is directly encapsulated inside an X509 certificate. This format is often the only one accepted by SAML partners.

Learn more on https://lemonldap-ng.org/documentation/latest/samlservice.html

Kerberos domain whitelist

When using Kerberos authentication, a domain whitelist can be configured.

Learn more on https://lemonldap-ng.org/documentation/latest/authkerberos.html

Plugin engine for Issuers

It is now possible to add hooks on specific OIDC and SAML requests processing steps.

For example, to alter the OIDC ID Token returned to a Relying party:

use constant hook => {
    oidcGenerateIDToken          => 'addClaimToIDToken',

sub addClaimToIDToken {
    my ( $self, $req, $payload, $rp ) = @_;
    $payload->{"id_token_hook"} = 1;
    return PE_OK;

Learn more on https://lemonldap-ng.org/documentation/latest/hooks.html

OpenID Connect claims

Claims type can be configured, to force them as int, string or boolean, and also if they should be displayed as an array or not.

This fixes an issue with Mattermost configuration, which requires the id claim to be an integer.

Learn more on https://lemonldap-ng.org/documentation/latest/idpopenidconnect.html#openid-connect-claims and https://lemonldap-ng.org/documentation/latest/applications/mattermost.html




They made this release:

  • Core team: Maxime Besson, Xavier Guimard, Christophe Maudoux and Clément Oudot
  • Organizations : Gendarmerie Nationale, Worteks, CNAMTS, Orange, FER Genève, Communauté Urbaine de Caen la Mer
  • Community (issues opening, tests, patches, pull requests) : Nicolas B., Daniel Berteaud, David Coutadeur, Paul Curie, Andreas Deschka, Dominique Fournier, Antoine Gallavardin, Alexandre Karim, Matthieu Lamalle, Tuan Le Cong, Julien Ledoux, Vincent Mazenod, pgnd, Nicolas R, Ross Steiner, Andy Tan, Aurelien Tisne

If you use LemonLDAP::NG and enjoy it, please let us know: