LemonLDAP::NG 2.0.16 is out!

This is a new release for 2.0 major version including fixes improvements and new features.

⚠ Please follow upgrade notes if you upgrade from a previous version!

🔢 Versioning

To respect as mush as possible Semantic Versionning, 2.0.16 will be the last of 2.0.X versions, as we cannot consider all 2.0.X versions are "patch" version, but they are clearly "minor" versions of the 2.0 branch.

So the next minor version will be 2.17.0, and if this is needed, we will release 2.16.1, 2.16.2... to provide urgent bugfixes for 2.0.16/2.16.0.

🔐 Security

2 security issues have been fixed:

  • Issue #2803 : Adding registrable 2F does not test the current authn level
  • Issue #2832 : Redirection URL validation bypass using credentials in URL

🌟 Improvements and new features


LL::NG CAS provider can now send back-channel SLO requests to CAS applications.


To ease the configuration of big federations (like Renater and EduGain), we now avoid to load all metadata in global configuration, but manage the federation as a dedicated configuration parameter.

OpenID Connect

For some applications like Netbird and Sharepoint, we added some optional attributes in JWKS endpoint. These applications can now use LL::NG as OpenID Connect Provider. Also to be compatible with more applications, we added support for response_mode=form_post.

The claim configuration has been simplified. Before now, OIDC exported attributes had to be explicitely linked to a requested scope to be sent to client application (which is what is required by the standard). Now all exported attributes can be sent to the client application, even if they do not belong to requested scopes. An option is available to force the old - standard - behavior.

The OAuth 2.0 Token Exchange support is available, you need to write your own plugin to use the hook oidcGotTokenExchange.


See how to manage authentication on applications with LL::NG and Traefik ForwardAuth: Deploy Traefik configuration

Plugin Pwned Passwords API

Read documentation of the plugin

Plugin Geolocation

This plugin use Maxmind GeoIP database to get country and city from user IP address. This information can then be used to increase the risk level and require a second factor, or deny access.

Read documentation of the plugin

Second Factors (2FA)

A generic 2FA register module has been created, so you can now request information like personal email or personal mobile phone to end-users so they can rely on it for their 2FA.

A very low security module has been provided for organizations that could really not use another solution: Password. This module will ask a specific password/passphrase, which is not the primary password. This second password is managed by LL::NG and not stored in another system.

📃 Changelog

The full changelog can be found here.

⬇ Download

Use the official repositories (Debian/RPM), our Docker image or get the archives.

👏 Credits

A lot of people and organizations have contributed to this version, thanks to them!

  • Core team: Maxime Besson, David Coutadeur, Xavier Guimard, Christophe Maudoux and Clément Oudot
  • Organizations : Gendarmerie Nationale, Worteks, CNAM, Orange, Ville de Nanterre, AIrbus, Campus Condorcet, INRAE, FER Genève, Atos, DGDDI
  • Community (issues opening, tests, patches, pull requests) : Philippe Lhardy, Jan Baier, Albert Rinceau, Julian Vanden Broeck, Pascal Rigaux, Master Q, Florian Charlaix, Mickael Bride, Daniel Berteaud, Slaven Rezic, Moritz Bunkus, Mathieu MD

If you use LemonLDAP::NG and enjoy it, please let us know: