LemonLDAP::NG 2.0.6 is out!
This is a quite big release, with more than 80 issues closed! Here are some of bugfixes and improvements of this release:
- Security:
- [Security:high] oidc authorization codes are not tied to their RP (CVE-2019-15941)
- [Security:medium] AuthSlave does not check credential headers
- [Security:low] nginx portal example file does not filter REST urls
- [Security:low] Restricted users can edit conf by using default route
- [security:low] Access token expiration time is not enforced on userinfo or OAuth handler
- [Security:low] psessions case sensitivity might impact security of 2FA when using case-insensitive auth backends
- [Security:improvement] Do not accept a "none" signature in JWT if we enforce signature verification
- Bugs:
- [OIDC] Use base64 URL for JWT generation
- [OIDC] Return claims from scope values in ID token if no access token requested
- [Notifications] Many fixes with authentication workflow
- [SAML] incorrect loading of SAML metadata when entityID containts html-encoded characters
- [LinkedIn] LinkedIn v1 API is not available anymore
- [Password Reset] Several fixes with LDAP backend / Combination backend
- Some enconding fixes..
- Improvements:
- [LDAP] Support IBM Tivoli Directory Server (ITDS)
- Better logging
- [CheckUser plugin] search parameters
- Implement CORS preflight request
- New features:
- Define a local password policy
- ContextSwitching plugin
- OAuth2 introspection endpoint
- Radius 2F module
- Multiple instances of 2F modules
The full changelog can be seen here: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/milestones/67
They made this release:
- Core team: Maxime Besson, Xavier Guimard, Christophe Maudoux and Clément Oudot
- Organizations : Gendarmerie Nationale, Worteks, CNAMTS, Orange, CSTB, Urgences Santé Québec, FER Genève, Adoma
- Community (issues opening, tests, patches, pull requests) : Bastien JEAN, Gilles Ménigot, Emmanuel Langguth, Julien Ledoux, Andreas Deschka, Arnaud Gillard, Alexandre LINTE, Guillaume, Raphael Geissert, Xavier Bachelot
If you use LemonLDAP::NG and enjoy it, please let us know: