Mettre à jour de la version 1.3 vers la version 1.4

Lorsqu'on utilise les paquets, ils doivent faire d'eux-même la mise à jour, mais on peut vérifier ici que tout est en ordre.

Agent (Handler)

Handler module has been completely rewritten. You should now call the default module in your virtual host:

PerlHeaderParserHandler Lemonldap::NG::Handler

The main Apache handler configuration file has also been modified, check it:

# Load LemonLDAP::NG Handler
PerlOptions +GlobalRequest
PerlRequire Lemonldap/NG/Handler.pm
 
# Common error page and security parameters
ErrorDocument 403 http://auth.example.com/?lmError=403
ErrorDocument 500 http://auth.example.com/?lmError=500
ErrorDocument 503 http://auth.example.com/?lmError=503
 
<VirtualHost *:80>
    ServerName reload.example.com
 
    # Configuration reload mechanism (only 1 per physical server is
    # needed): choose your URL to avoid restarting Apache when
    # configuration change
    <Location /reload>
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/8
        PerlHeaderParserHandler Lemonldap::NG::Handler->refresh
    </Location>
 
    # Uncomment this to activate status module
    #<Location /status>
    #    Order deny,allow
    #    Deny from all
    #    Allow from 127.0.0.0/8
    #    PerlHeaderParserHandler Lemonldap::NG::Handler->status
    #</Location>
 
</VirtualHost>

New portal skin

We provide a new skin: bootstrap. This skin uses Twitter Bootstrap framework, and allows to have a good rendering on mobile devices. Try it!

Specific handlers

If you are using one of these specific handlers:

You should now change their path in you virtual host: For example for sympa, from:

PerlRequire /usr/local/lemonldap-ng/handler/MyHandlerSympa.pm
PerlHeaderParserHandler My::Sympa

to:

PerlRequire Lemonldap/NG/Handler/Specific/SympaAutoLogin.pm
PerlHeaderParserHandler Lemonldap::NG::Handler::Specific::SympaAutoLogin

Take care to save every specificity in these files before you do the upgrade.

  • MyHandlerAuthBasic.pm
  • MyHandler.pm
  • MyHandlerSecureToken.pm
  • MyHandlerSympa.pm
  • MyHandlerZimbra.pm
  • MyUpdateCookieHandler.pm

Sécurité

We found that the default session identifier generation may be too simple and can allow to do brute force attack to find a valid session identifier (see https://jira.ow2.org/browse/LEMONLDAP-695).

We recommend that you use a new generate module. Add generateModule key inside your sessions backend options and use Lemonldap::NG::Common::Apache::Session::Generate::SHA256 as value.

Captcha

Captcha now use an Apache::Session module as backend, you need to adapt your previous configuration to replace captcha_data and captcha_output by captchaStorage and captchaStorageOptions.

This allows to use a DB or LDAP to share captchas in a cluster.