lemonldap-ng (2.0.9+ds-1) unstable; urgency=medium
CVE-2020-24660
lemonldap-ng community fixed a vulnerability in Nginx default
configuration files (CVE-2020-24660).
Debian package does not install any default site, but documentation
provided bad examples in Nginx configuration before this version. If you
use lemonldap-ng handler with Nginx, you should verify your configuration
files.
Upstream community recommends to fix X_ORIGINAL_URI variable:
location = /lmAuth {
fastcgi_param X_ORIGINAL_URI $request_uri;
# or uwsgi_param X_ORIGINAL_URI $original_uri;
...
}
location = /protected-area {
set $original_uri $uri$is_args$args;
...
}
The updated example file is installed in documentation:
/usr/share/doc/lemonldap-ng-handler/examples/test-nginx.conf
CVE-2020-16093
LDAP server certificates were previously not verified by default when
using secure transports (LDAPS or TLS). Starting from this release,
certificate validation is now enabled by default, including on existing
installations.
If you have configured your CA certificates incorrectly, LemonLDAP::NG
will now start complaining about invalid certificates. You may temporarily
disable it again with the following command:
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli set ldapVerify none
If you use LDAP as a session backend, you are strongly encouraged to also
upgrade corresponding Apache::Session module (Apache::Session::LDAP 0.5 or
libapache-session-browseable-perl 1.3.8). After this upgrade, if you want
to temporarily disable certificate validation, you can add the following
parameter to the list of Apache::Session module options:
- key: ldapVerify
- value: none
-- Xavier Guimard <yadd@debian.org> Mon, 07 Sep 2020 09:35:09 +0200
lemonldap-ng (2.0.5+ds-2) unstable; urgency=medium
Since version 2.0.5, lemonldap-ng includes some improvements in
cryptographic functions. To take advantage of them, you must change the
encryption key of LemonLDAP::NG and restart all your servers.
-- Xavier Guimard <yadd@debian.org> Sun, 30 Jun 2019 14:30:55 +0200
lemonldap-ng (2.0.0+ds-1) unstable; urgency=medium
2.0 is a major release, many things have been changed. You must read
https://lemonldap-ng.org/documentation/2.0/upgrade before upgrade.
-- Xavier Guimard <x.guimard@free.fr> Mon, 30 Oct 2018 12:48:25 +0100
lemonldap-ng (1.9.2-1) unstable; urgency=medium
liblemonldap-ng-handler-perl package has been split into:
- lemonldap-ng-handler that provides web server configuration
- liblemonldap-ng-handler-perl that provides Perl libraries only
-- Xavier Guimard <x.guimard@free.fr> Sat, 16 Apr 2016 21:18:28 +0200
lemonldap-ng (1.9.1-1) unstable; urgency=medium
1) Configuration and sessions storage
From now, Lemonldap::NG uses JSON serialization to store configuration and
sessions instead of Storable::nfreeze Perl function. This permits one to have
heterogenous servers connected to the same LLNG organization (32/64 bits or
different Perl versions). Old format still works but:
* configuration backends: new format is applied at first configuration
save,
* sessions storages: new format is applied for each new session or when
updating an existing session. You can force LemonLDAP::NG to keep the old
serialization method by setting useStorable to 1 in sessions backend
options if you have some custom hooks.
Note that this behaviour only affects modules Apache::Session::File, SQL
database and Apache::Session::LDAP
If you have more than one server and don't want to stop the SSO service, start
upgrading in the following order:
* servers that have only handlers;
* portal servers (all together if your load balancer doesn't keep state by
user or client IP and if users use the menu);
* manager server
2) Manage Ajax requests when sessions expires
To request for authentication, handlers sent a 302 HTTP code even if request
was an Ajax one. From now, after redirection, portal will send a 401 code
with a WWW-Authenticate header containing "SSO portal-URL". This is a little
HTTP protocol hook created because browsers follow redirection transparently.
If you want to keep old behaviour, set noAjaxHook to 1 (in General Parameters
-> Advanced -> Handler redirections -> Keep redirections for Ajax).
3) New "Multi" authentication scheme
The Multi backend configuration has changed. Now the stacks are defined in
separate attributes:
* multiAuthStack
* multiUserDBStack
So an old configuration like this:
authentication = Multi LDAP;DBI
userDB = Multi LDAP;DBI
Must be replaced by:
authentication = Multi
userDB = Multi
multiAuthStack = LDAP;DBI
multiUserDBStack = LDAP;DBI
4) Form replay
Management of form replay has been rewritten. If you uses this experimental
feature, you must edit your configuration and rewrite it.
-- Xavier Guimard <x.guimard@free.fr> Mon, 07 Mar 2016 07:12:08 +0100
lemonldap-ng (1.4.6-1) unstable; urgency=medium
Handler files "My::Package" are no longer installed by default as a module
"Lemonldap::NG::Handler" generic is now available. It is therefore
necessary either to modify Apache configuration files to use
"Lemonldap::NG::Handler" or create your own Perl modules using the provided
examples files.
-- Xavier Guimard <x.guimard@free.fr> Mon, 29 Dec 2014 17:10:00 +0100
lemonldap-ng (1.2.2-3) unstable; urgency=low
Examples files (Apache configuration and default handler files) are now not
installed in /var/lib/lemonldap-ng/handler but available as examples files
-- Xavier Guimard <x.guimard@free.fr> Wed, 05 Dec 2012 06:27:45 +0100
lemonldap-ng (1.2.2-2) unstable; urgency=low
Since 1.2.2, LemonLDAP::NG uses 'Demo' authentication backend by default
and the manager is protected by default by LemonLDAP::NG. So for an
unconfigured installation, you have to use dwho account to access to the
manager (password dwho)
-- Xavier Guimard <x.guimard@free.fr> Thu, 29 Nov 2012 06:22:45 +0100