LemonLDAP::NG 2.0.4 is out!
To check if your current installation is concerned by the security breach, you can download this script and execute it:
$ sh llng-1742-test.sh <your portal URL>
More details:
Here are some of bugfixes and improvements of this release:
- Security:
- HIGH: Setting tokenUseGlobalStorage allows unauthenticated users to access the portal (and applications without rules)
- LOW: register_token used for account creation can be used as a valid session identifier
- MINOR: Update jQuery
- Bugs:
- [CAS] /validate endpoint does not return username
- [Kerberos] Duplicate session opening when using multiple Kerberos instances in Combination
- [Manager] Deleted category is not detected as a change when saving conf
- [Manager] Configuration version in Manager is different from software version
- Improvements:
- [REST] Return Session ID when authentication is done via REST
- [CAS] Allow per application CAS login override
- [OIDC] Allow unauthenticated clients on token endpoint
- [UI] Redirection page is now included in template
- [UI] Highlight valid SSO sessions in sessions explorer
- New features:
- [OIDC] PKCE to secure OIDC Authorization Code flow
- [OAuth2] OAuth2 Handler : https://lemonldap-ng.org/documentation/latest/oauth2handler
The full changelog can be seen here: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/milestones/64
They made this release:
- Core team: Maxime Besson, Xavier Guimard, Christophe Maudoux and Clément Oudot
- Organizations : Gendarmerie Nationale, Worteks, CNAMTS
- Community (issues opening, tests, patches, pull requests) : Carl R., Moritz Jordan, Mathieu Lecompte-melançon, Julien Ledoux
If you use LemonLDAP::NG and enjoy it, please let us know:
- https://lemonldap-ng.org/references
- https://www.openhub.net/p/lemonldap-ng
- http://alternativeto.net/software/lemonldap-ng/
- https://comptoir-du-libre.org/softwares/view/101
- https://framalibre.org/content/lemonldapng
- http://twitter.com/lemonldapng
- https://www.facebook.com/lemonldapng/