LemonLDAP::NG 2.0.9 is out!

This release contains fixes for 2 CVE: CVE-2020-24660 and CVE-2020-16093. Please read instructions below to upgrade your installation.

Security upgrade

Required changes in NGINX handler rules (CVE-2020-24660)

We discovered a vulnerability that affects LemonLDAP::NG installations when ALL of the following criteria apply:

  • You are using the LemonLDAP::NG Handler to protect applications
  • Your handler server uses Nginx
  • Your virtual host configuration contains per-URL access rules based on regular expressions in addition to the built-in default access rule.

You are safe from this vulnerability if your virtualhost only uses a regexp-based rule to trigger logout

If you are in this situation, you need to modify all your handler-protected virtualhosts by making the following change:

  • Replace fastcgi_param X_ORIGINAL_URI $request_uri by fastcgi_param X_ORIGINAL_URI $original_uri if you are using FastCGI
  • Replace uwsgi_param X_ORIGINAL_URI $request_uri by uwsgi_param X_ORIGINAL_URI $original_uri if you are using uWSGI
  • Right after auth_request /lmauth;, add the following line:

set $original_uri $uri$is_args$args;

LDAP certificate validation (CVE-2020-16093)

LDAP server certificates were previously not verified by default when using secure transports (LDAPS or TLS), see CVE-2020-16093. Starting from this release, certificate validation is now enabled by default, including on existing installations.

If you have configured your CA certificates incorrectly, LemonLDAP::NG will now start complaining about invalid certificates. You may temporarily disable it again with the following command

/your/path/to/lemonldap-ng-cli set ldapVerify none

If you use LDAP as a configuration storage, and want to temporarily disable certificate validation, you must make the following addition to /etc/lemonldap-ng/lemonldap-ng.ini

ldapVerify = none

If you use LDAP as a session backend, you are strongly encouraged to also upgrade corresponding Apache::Session modules (Apache::Session::LDAP or Apache::Session::Browseable). After this upgrade, if you want to temporarily disable certificate validation, you can add the following parameter to the list of Apache::Session module options:

  •  key: ldapVerify
  •  value: none

Please note that it is HIGHLY recommended to set certificate validation to require when contacting LDAP servers over a secure transport to avoid man-in-the-middle attacks.


Main changes are:

  • Bugs:

    • RESTProxy doesn't fully work as a UserDB module
    • Refresh my rights causes error 500 with OIDC provider
    • StayConnected plugin not working due to error in fingerprint javascript
    • Bad default value for portalDisplayOidcConsents
    • Setting yubikey verification URL to an empty value does not fallback to Yubikey_Webclient URL
    • Captcha or OTT is not renewed if Impersonation process failed
    • Error "Value must be BASE64 encoded" with some specific URL when Handler redirects on portal
    • Errors in lemonldap-ng.ini are not correctly reported
    • Misleading error reporting when failing to save conf in lemonldap-ng-cli
    • regression in redirection to SAML urls with query string
    • SAML SP error with auth kerberos
    • Local session cache and systemd PrivateTmp
    • Multivalued attributes are not returned as array in OpenID Connect userinfo endpoint
    • Missing country in OpenID Connect Address Claim
    • Incorrect SOAP Content-Type
    • Secure flag missing on lemonldappdata cookie and during logout
    • pdata cookie with SameSite value not equal to NONE is not removed and logout request leads to an internal server error with federate flow on SP side
    • [security:high, CVE-2020-24660] Lack of URL normalization by Nginx may lead to authorization bypass when URL access rules are used
    • ldapGroupDecodeSearchedValue does not apply to recursive group search
    • Password form not displayed when "password change after reset" is returned by LDAP ppolicy and Combination used for authentication
  • New features:

    • Integrate documentation into the codebase
    • Use 2FA only if and when needed
    • Add a session command line (CLI) tool
  • Improvements:

    • Proxy Backend support for Password Module (passwordDB)
    • Declare vhost with wildcard and prefix/suffix
    • Make externally-provisionned yubikeys easier to configure
    • Manager - Configuration's Author IP address field should honor $ipAddr
    • Retrieve GPG keys and SSH keys in GitHub authentication module
    • add option to make convertConfig easier in most cases
    • REST session server is too intolerant of clock drift (2)
    • Mail reset token should not be deleted at first page access
    • Add CAS App management to the manager API
    • Display new supported grant_types in OIDC discovery page
    • Use configuration key in user log messages for all Issuer modules
    • Check password policy on the client side when changing password
    • No host in logs to use with Fail2ban
    • Manage SameSite default behavior
    • Improve Notifications explorer to display done notifications content
    • Request "do not minify" json config option
    • Erroneous use of NTLM should be explicitely reported to the user
    • Healthcheck endpoint for manager API
    • Add del method to lemonldap-ng-cli

See full changelog: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/milestones/72



They made this release:

  • Core team: Maxime Besson, Xavier Guimard, Christophe Maudoux and Clément Oudot
  • Organizations : Gendarmerie Nationale, Worteks, CNAMTS, Orange, FER Genève, Avem Groupe, Urgences Santé Québec
  • Community (issues opening, tests, patches, pull requests) : David Coutadeuri, Xavier Bachelot, Soisik Froger, Ross Steiner, pgnd, Mickael Bride, Carl R., Côme Chilliet, Andreas Deschka, Guillaume Debaisieux, Baptiste Pecatte, Grégory ROY, Erik Anders, Gilles Filippini, Dave Conroy, Mathieu Lecompte-melançon

If you use LemonLDAP::NG and enjoy it, please let us know: