Upgrade from 1.3 to 1.4

If you are using packages, they should have done the upgrade process for you, but you can check here that all is in order.

If you upgrade from older versions, please follow first:

Handler

Handler module has been completely rewritten. You should now call the default module in your virtual host:

PerlHeaderParserHandler Lemonldap::NG::Handler

The main Apache handler configuration file has also been modified, check it:

# Load LemonLDAP::NG Handler
PerlOptions +GlobalRequest
PerlRequire Lemonldap/NG/Handler.pm
 
# Common error page and security parameters
ErrorDocument 403 http://auth.example.com/?lmError=403
ErrorDocument 500 http://auth.example.com/?lmError=500
ErrorDocument 503 http://auth.example.com/?lmError=503
 
<VirtualHost *:80>
    ServerName reload.example.com
 
    # Configuration reload mechanism (only 1 per physical server is
    # needed): choose your URL to avoid restarting Apache when
    # configuration change
    <Location /reload>
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/8
        PerlHeaderParserHandler Lemonldap::NG::Handler->refresh
    </Location>
 
    # Uncomment this to activate status module
    #<Location /status>
    #    Order deny,allow
    #    Deny from all
    #    Allow from 127.0.0.0/8
    #    PerlHeaderParserHandler Lemonldap::NG::Handler->status
    #</Location>
 
</VirtualHost>

New portal skin

We provide a new skin: bootstrap. This skin uses Twitter Bootstrap framework, and allows to have a good rendering on mobile devices. Try it!

Specific handlers

If you are using one of these specific handlers:

You should now change their path in you virtual host: For example for sympa, from:

PerlRequire /usr/local/lemonldap-ng/handler/MyHandlerSympa.pm
PerlHeaderParserHandler My::Sympa

to:

PerlRequire Lemonldap/NG/Handler/Specific/SympaAutoLogin.pm
PerlHeaderParserHandler Lemonldap::NG::Handler::Specific::SympaAutoLogin

Take care to save every specificity in these files before you do the upgrade.

  • MyHandlerAuthBasic.pm
  • MyHandler.pm
  • MyHandlerSecureToken.pm
  • MyHandlerSympa.pm
  • MyHandlerZimbra.pm
  • MyUpdateCookieHandler.pm

Security

We found that the default session identifier generation may be too simple and can allow to do brute force attack to find a valid session identifier (see https://jira.ow2.org/browse/LEMONLDAP-695).

We recommend that you use a new generate module. Add generateModule key inside your sessions backend options and use Lemonldap::NG::Common::Apache::Session::Generate::SHA256 as value.

Captcha

Captcha now use an Apache::Session module as backend, you need to adapt your previous configuration to replace captcha_data and captcha_output by captchaStorage and captchaStorageOptions.

This allows to use a DB or LDAP to share captchas in a cluster.

Session cache

Session management has been rewritten, now all LL::NG modules use the Lemonldap::NG::Common::Session module to access a session. This new module manages the session cache, which can now be configured trough localSessionStorage and localSessionStorageOptions (see the session configuration in Manager).

If you were configuring the Handler session cache trough localStorage in lemonldap-ng.ini, then you need to change your configuration, as Handler localStorage will not cache sessions anymore, but is still used for specific Handler features, like local macros.

Domain

Since 1.4.6

Domain value should no more begin with a .. If you configured .example.com as domain value, use now example.com.

Multi module names in session

Since 1.4.6

When Multi is used with #label (like LDAP#OpenLDAP), the module name stored in _auth is now LDAP. To get the full module name, use _authMulti (and _userDBMulti for user module). See modules for more information.