lemonldap-ng (2.0.2+ds-7+deb10u9) buster-security; urgency=high

  AuthBasic now enforces 2FA activation.

  In previous versions of LemonLDAP::NG, a 2FA protected account didn't need
  to use their second factor when authenticating to an AuthBasic handler.

  If you are *absolutely sure* that you want 2FA protected accounts to access
  AuthBasic handlers, which are password only, you can add the following test
  in your 2FA activation rules:

      and not $ENV{AuthBasic}

 -- Guilhem Moulin <guilhem@debian.org>  Thu, 13 Jul 2023 22:15:51 +0200

lemonldap-ng (2.0.2+ds-7+deb10u8) buster-security; urgency=high

  LDAP server certificates were previously not verified by default when using
  secure transports (LDAPS or TLS). Starting from this release, certificate
  validation is now enabled by default, including on existing installations.
  (CVE-2020-16093)
  If you have configured your CA certificates incorrectly, LemonLDAP::NG will
  now start complaining about invalid certificates. You may temporarily
  disable it again with the following command:

    /usr/share/lemonldap-ng/bin/lemonldap-ng-cli set ldapVerify none

  If you use LDAP as a session backend, you are strongly encouraged to also
  upgrade corresponding Apache::Session module (libapache-session-ldap-perl
  0.4-1+deb10u1 or ≥0.5, or libapache-session-browseable-perl 1.3.0-1+deb10u1
  or ≥1.3.8). After this upgrade, if you want to temporarily disable
  certificate validation, you can add the following parameter to the list of
  Apache::Session module options:

   - key:   ldapVerify
   - value: none

 -- Guilhem Moulin <guilhem@debian.org>  Sat, 28 Jan 2023 13:28:36 +0100

lemonldap-ng (2.0.2+ds-7+deb10u5) buster-security; urgency=high

  lemonldap-ng community fixed a vulnerability in the Nginx default
  configuration files (CVE-2020-24660).
  Debian package does not install any default site, but documentation
  provided insecure examples in Nginx configuration before this version. If
  you use lemonldap-ng handler with Nginx, you should verify your
  configuration files.
  Upstream community recommends to fix the X_ORIGINAL_URI variable:

    location = /lmAuth {
      fastcgi_param X_ORIGINAL_URI  $request_uri;
      # or uwsgi_param X_ORIGINAL_URI $original_uri;
      ...
    }
    location = /protected-area {
      set $original_uri $uri$is_args$args;
      ...
    }

  The updated example file is installed in documentation:
  /usr/share/doc/lemonldap-ng-handler/examples/test-nginx.conf

  See https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2290 for more

 -- Xavier Guimard <yadd@debian.org>  Mon, 07 Sep 2020 11:16:03 +0200

lemonldap-ng (2.0.2+ds-7+deb10u3) buster; urgency=medium

  This version fixes 3 security issues. However, you must verify 2 things:
   * if you enabled SOAP/REST plugins, verify in your portal web configuration
     file that they are well protected (see new default configuration files:
     /etc/lemonldap-ng/portal-apache2.X.conf and
     /etc/lemonldap-ng/portal-nginx.conf)
   * if you enabled OpenID-Connect identity provider, your relaying parties
     must have a redirection uri. You just have to save a new configuration
     using the manager and automatic tests will fail if one relying party is
     misconfigured

 -- Xavier Guimard <yadd@debian.org>  Fri, 20 Dec 2019 18:12:54 +0100

lemonldap-ng (2.0.0+ds-1) unstable; urgency=medium

  2.0 is a major release, many things have been changed. You must read
  https://lemonldap-ng.org/documentation/2.0/upgrade before upgrade.

 -- Xavier Guimard <x.guimard@free.fr>  Mon, 30 Oct 2018 12:48:25 +0100

lemonldap-ng (1.9.2-1) unstable; urgency=medium

  liblemonldap-ng-handler-perl package has been split into:
  - lemonldap-ng-handler that provides web server configuration
  - liblemonldap-ng-handler-perl that provides Perl libraries only

 -- Xavier Guimard <x.guimard@free.fr>  Sat, 16 Apr 2016 21:18:28 +0200

lemonldap-ng (1.9.1-1) unstable; urgency=medium

  1) Configuration and sessions storage

  From now, Lemonldap::NG uses JSON serialization to store configuration and
  sessions instead of Storable::nfreeze Perl function. This permits one to have
  heterogenous servers connected to the same LLNG organization (32/64 bits or
  different Perl versions). Old format still works but:
   * configuration backends: new format is applied at first configuration
     save,
   * sessions storages: new format is applied for each new session or when
     updating an existing session. You can force LemonLDAP::NG to keep the old
     serialization method by setting useStorable to 1 in sessions backend
     options if you have some custom hooks.
     Note that this behaviour only affects modules Apache::Session::File, SQL
     database and Apache::Session::LDAP

  If you have more than one server and don't want to stop the SSO service, start
  upgrading in the following order:
   * servers that have only handlers;
   * portal servers (all together if your load balancer doesn't keep state by
     user or client IP and if users use the menu);
   * manager server

  2) Manage Ajax requests when sessions expires

  To request for authentication, handlers sent a 302 HTTP code even if request
  was an Ajax one. From now, after redirection, portal will send a 401 code
  with a WWW-Authenticate header containing "SSO portal-URL". This is a little
  HTTP protocol hook created because browsers follow redirection transparently.
  If you want to keep old behaviour, set noAjaxHook to 1 (in General Parameters
  -> Advanced -> Handler redirections -> Keep redirections for Ajax).

  3) New "Multi" authentication scheme

  The Multi backend configuration has changed. Now the stacks are defined in
  separate attributes:
   * multiAuthStack
   * multiUserDBStack

  So an old configuration like this:

    authentication = Multi LDAP;DBI
    userDB         = Multi LDAP;DBI

  Must be replaced by:

    authentication   = Multi
    userDB           = Multi
    multiAuthStack   = LDAP;DBI
    multiUserDBStack = LDAP;DBI

  4) Form replay

  Management of form replay has been rewritten. If you uses this experimental
  feature, you must edit your configuration and rewrite it.

 -- Xavier Guimard <x.guimard@free.fr>  Mon, 07 Mar 2016 07:12:08 +0100

lemonldap-ng (1.4.6-1) unstable; urgency=medium

  Handler files "My::Package" are no longer installed by default as a module
  "Lemonldap::NG::Handler" generic is now available. It is therefore
  necessary either to modify Apache configuration files to use
  "Lemonldap::NG::Handler" or create your own Perl modules using the provided
  examples files.

 -- Xavier Guimard <x.guimard@free.fr>  Mon, 29 Dec 2014 17:10:00 +0100

lemonldap-ng (1.2.2-3) unstable; urgency=low

  Examples files (Apache configuration and default handler files) are now not
  installed in /var/lib/lemonldap-ng/handler but available as examples files

 -- Xavier Guimard <x.guimard@free.fr>  Wed, 05 Dec 2012 06:27:45 +0100

lemonldap-ng (1.2.2-2) unstable; urgency=low

  Since 1.2.2, LemonLDAP::NG uses 'Demo' authentication backend by default
  and the manager is protected by default by LemonLDAP::NG. So for an
  unconfigured installation, you have to use dwho account to access to the
  manager (password dwho)

 -- Xavier Guimard <x.guimard@free.fr>  Thu, 29 Nov 2012 06:22:45 +0100
