Could be a bug:
ok i applied the fix and although not completely fixed
Status : [
{
ālocalhostā => āOKā
}
];
Saved under number 15
Status : [
{
ālocalhostā => āOKā
}
];
Saved under number 16
Status : [
{
ālocalhostā => āOKā
}
];
Saved under number 17
Status : [
{
ālocalhostā => āOKā
}
];
Odd number of elements in hash assignment at /usr/share/perl5/vendor_perl/Lemonldap/NG/Manager/Cli.pm line 71, line 1.
ldapExportedVars seems to be a hash, modification refused at /usr/share/perl5/vendor_perl/Lemonldap/NG/Manager/Cli.pm line 78, line 1.
Saved under number 18
Status : [
{
ālocalhostā => āOKā
}
];
Saved under number 19
Status : [
{
ālocalhostā => āOKā
}
];
a lot better then before
my ( $self, %pairs ) = @_;
and die ā$key seems to be a hash, modification refusedā;
seem to be the issue
not sure what it means though
Iāve had the warnings too, but as far as I can see they were just cosmetic. But this one might not be:
Odd number of elements in hash assignment at /usr/share/perl5/vendor_perl/Lemonldap/NG/Manager/Cli.pm line 71, line 1.
ldapExportedVars seems to be a hash, modification refused at /usr/share/perl5/vendor_perl/Lemonldap/NG/Manager/Cli.pm line 78, line 1.
Is this using AD or LDAP? I may need to make some edits to the config script templates.
Edit: Looks like I was setting the exported vars incorrectly; update is pushed to the repo.
Edit 2: You can return LLNG to its almost-stock configuration by removing all the lmConf-n.json files in /var/lib/lemonldap-ng/conf/
except the first one.
It does, and itās pretty easy to set upāthe instructions above are updated with this.
im using ad but that works now thanks
ok so i got it to work sort of its not always saving the changes i make in the manager were would the logs be located not sure if its a permissions thing or other error
not sure why but it seems to be doing what its told now
on another note i was looking in the manager and it does support kerberos and so does cockpit so might work for integration
also might save a bit of time if making changes a lot to the metadata on some applications instead of downloading metadata file the url for nexctcloud is
https://your.nextcloud.domain.com/index.php/apps/user_saml/saml/metadata
for Wordpress its
https://your.wordpress.domain.com/wp-login.php?saml_metadata
and while im at it to integrate wordpress i use the OneLogin SAML SSO Plugin as it is free to configure all options as far as im aware.
step 1.
install OneLogin SAML SSO Plugin on wordpress activate but donāt enable saml authentication yet in the plugin
step 2.
over in the lemonldap manager follow the same instructions i gave for ep
adding https://your.wordpress.domain.com/wp-login.php?saml_metadata for the metadata url save and ignore any errors
step 3.
enter the following info in the plugin in word press
IdP Entity Id = https://auth.yourdomain/saml/metadata
Single Sign On Service Url = https://auth.yourdomain/saml/singleSignOn
- change Single Log Out Service Url = https://auth.yourdomain/saml/singleLogout
to Single Log Out Service Url = https://auth.yourdomain/saml/AA/SOAP
X.509 Certificate = public key cert from signature in the manager
enable the following in options
Create user if not exists
Update user data
Force SAML login
set Match Wordpress account by to Username
ATTRIBUTE MAPPING
Username = uid
E-mail = mail
Nickname = cn
Role = role
NOTE i created the following groups in nethserver wordpressadmin, wordpressedditor, wordpressauthor, wordpresscontributor and wordpresssubscriber then i added them in wordpress under ROLE MAPPING in SSO options
Administrator = CN=wordpressadmin,CN=Users,DC=ad,DC=domain,DC=com,DC=au
Editor = CN=wordpressedditor,CN=Users,DC=ad,DC=domain,DC=com,DC=au
Author = CN=wordpressauthor,CN=Users,DC=ad,DC=domain,DC=com,DC=au
Contributor = CN=wordpresscontributor,CN=Users,DC=ad,DC=domain,DC=com,DC=au
Subscriber = CN=wordpresssubscriber,CN=Users,DC=ad,DC=domain,DC=com,DC=au
under Regular expression for multiple role values= /CN=([A-Z0-9\s _-]*);/i
CUSTOMIZE ACTIONS AND LINKS
enable the following:
Prevent reset password
Prevent change password
Prevent change mail
ADVANCED SETTINGS
Encrypt nameID
Sign AuthnRequest
Sign LogoutRequest
Sign LogoutResponse
Reject Unsigned Messages
Retrieve Parameters From Server
set NameIDFormat to urn:oasis:names:tc:SAML:1.1:nameid-format:windows
in requestedAuthnContext select the last three ie urn:oasis:names:tc:SAML:2.0:ac:classes:password
under Service Provider X.509 Certificate and Service Provider Private Key enter the certs from signature in saml settings in lemonldap manager
Content now moved to the wiki. @Shane_Treweek, if you like, you can add Wordpress and Education Perfect under the SAML2 section if you like.
Iām in the process of setting up GLPI and Iāve installed the saml plugin and configured it just trying to locate the plugins metadata to finish the setup in Manager
Actually now I think of it Mabey the saml plugin only authenticates and needs a plugin for service provider
ok zammed simply click the gear in bottom left then go to security and select third party applications enable Automatic account link on initial logon
then enable saml
settings are
IDP SSO Target URL=https://auth.domain.com/saml/singleSignOn
IDP Certificate= the public cert under signature in lldapmanager
leave the next field blank
Name Identifier Format=urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
In the manager create the sp
for metadata url https://zammad.domain.com/auth/saml/metadata and load
under exported attributes see bellow
Under Authenticated Response chose email
and make the following changes under ldap exported attributes
obviously some of the attributes dont apply yet to the current config(im working on mapping other attributes)
Update:
Ok ive got signing and encryption working but not checking of the signing see bellow
I was just thinking does anyone think it would be useful to be able to have wifi authentication with saml
Hi
Been playing around with OpenWRT the last 2 days - the intention testing it out before I reflash my Netgear WLan AP (Or brick it!).
One of my reasons is that the Netgear WLan Routers are very common, and they only support router mode, not really AP mode. That means NO remote access or administration for these boxes, a limitation OpenWRT would removeā¦
To test OpenWRT, I was pleasantly surprised that they support using a Raspberry PI as a WLan APā¦ Version 3b is what Iām testing right now, my RP4 is ready as the next test candidateā¦
Just use BalenaEtcher to flash the MicroSD (16 GB ample enough), and itās running!
OpenWRT allows much more options for Auth (and other functions) the original maker does notā¦
And you can make any supported WLan router into a full WLan APā¦ Better SNMP reporting is one option moreā¦
This post as a āfollow upā for your WLan Auth inputā¦
My 2 cents
Andy
Are you thinking something like a captive portal? It seems a logical application for SSO, but naturally whatever system is handling the captive portal would need to support SAML (or OIDC, which I think would really be my preference if possibleāitās much simpler to configure). I have Unifi at home, and it looks like the only external authentication it supports is RADIUS; pfSense (and thus, I expect, OPNsense) supports RADIUS as well as LDAP/AD. Neither appear to support SAML or OIDC.
also i found if (in nextcloud) you change the urls under Identity Provider Data so they look like
https://auth.domain/saml/metadata
https://auth.domain/saml/singleSignOn
https://auth.domain/saml/AA/SOAP
https://auth.domain/saml/singleLogout
under Signatures and encryption offered
enable the first 4 options
under Signatures and encryption required
enable the first 3 options
under General
Enable both options
and for now (until i can figure out how to pass the certs without giving the private key)
under Service Provider Data
select windows
and enter the public and private key from encryption on lldpng manager
and on the manager under nextcloud
set Authentication response to windows
under signature enable all
under security
Encryption mode set to assertion
and set Enable use of IDP initiated URL to enable
and Authentication level to 1
reload the metadata and save.
signing both log on and off works and passes checks and encryption works
Sounds promising
LLNG version 2.0.12 is released:
https://projects.ow2.org/view/lemonldap-ng/lemonldap-ng-2-0-12-is-out/
BTW, nothing serious but every time this topic bumbs-up I think of it
(so getting it out of my system now )
While (re)building SOGo noticed there is a lasso package in the centos repositories; it is older and seems not to provide perl-bindings.
As said nothing serious, just something to keep in mind;
the lasso package delivered by lemonldap-ng replaces the distroās package.
I have fired up my test server, and i am in the process on doing multiple deployments, also included the Lemonldap software, as well as the others softwires that would need to be authenticated by it.
I also came accross your article on ssh certificate which is very interesting concept.
you did put it out quit well on your documentation advanced:ssh_certificates [danb35ās Wiki] (familybrown.org)
What am curious is. did you deploy your own certificate server. was it deployed on Debian, Centos or Nethserver.
How well is it working so far on your end.
I want to attempt building and setting it up, as a way to learn a few things, but also to try and implement the same on my organization, since we have multiple people who ssh into servers, and we make use of freelance system admins, need to see how well this can resolve the matter.
let me know your current setup and use case as it really is interesting
that worked
still errors but getting closer
/root/lemon_config.sh
[Sat Jul 24 23:57:33 2021] [LLNG:1605] [error] No configuration available
Use of uninitialized value in subroutine entry at /usr/share/perl5/vendor_perl/Lemonldap/NG/Handler/Lib/PSGI.pm line 31.
Use of uninitialized value in subroutine entry at /usr/share/perl5/vendor_perl/Lemonldap/NG/Handler/Lib/PSGI.pm line 31.
Use of uninitialized value in subroutine entry at /usr/share/perl5/vendor_perl/Lemonldap/NG/Manager.pm line 143.
Use of uninitialized value in subroutine entry at /usr/share/perl5/vendor_perl/Lemonldap/NG/Manager.pm line 143.
Canāt use string ("") as a subroutine ref while āstrict refsā in use at /usr/share/perl5/vendor_perl/Lemonldap/NG/Manager.pm line 143.
[Sat Jul 24 23:57:35 2021] [LLNG:1608] [error] No configuration available
Use of uninitialized value in subroutine entry at /usr/share/perl5/vendor_perl/Lemonldap/NG/Handler/Lib/PSGI.pm line 31.
Use of uninitialized value in subroutine entry at /usr/share/perl5/vendor_perl/Lemonldap/NG/Handler/Lib/PSGI.pm line 31.
Use of uninitialized value in subroutine entry at /usr/share/perl5/vendor_perl/Lemonldap/NG/Manager.pm line 143.
Use of uninitialized value in subroutine entry at /usr/share/perl5/vendor_perl/Lemonldap/NG/Manager.pm line 143.
Canāt use string ("") as a subroutine ref while āstrict refsā in use at /usr/share/perl5/vendor_perl/Lemonldap/NG/Manager.pm line 143.
[Sat Jul 24 23:57:37 2021] [LLNG:1612] [error] No configuration available
Use of uninitialized value in subroutine entry at /usr/share/perl5/vendor_perl/Lemonldap/NG/Handler/Lib/PSGI.pm line 31.
Use of uninitialized value in subroutine entry at /usr/share/perl5/vendor_perl/Lemonldap/NG/Handler/Lib/PSGI.pm line 31.
Use of uninitialized value in subroutine entry at /usr/share/perl5/vendor_perl/Lemonldap/NG/Manager.pm line 143.
Use of uninitialized value in subroutine entry at /usr/share/perl5/vendor_perl/Lemonldap/NG/Manager.pm line 143.
Canāt use string ("") as a subroutine ref while āstrict refsā in use at /usr/share/perl5/vendor_perl/Lemonldap/NG/Manager.pm line 143.
[Sat Jul 24 23:57:38 2021] [LLNG:1615] [error] No configuration available
Use of uninitialized value in subroutine entry at /usr/share/perl5/vendor_perl/Lemonldap/NG/Handler/Lib/PSGI.pm line 31.
Use of uninitialized value in subroutine entry at /usr/share/perl5/vendor_perl/Lemonldap/NG/Handler/Lib/PSGI.pm line 31.
Use of uninitialized value in subroutine entry at /usr/share/perl5/vendor_perl/Lemonldap/NG/Manager.pm line 143.
Use of uninitialized value in subroutine entry at /usr/share/perl5/vendor_perl/Lemonldap/NG/Manager.pm line 143.
Canāt use string ("") as a subroutine ref while āstrict refsā in use at /usr/share/perl5/vendor_perl/Lemonldap/NG/Manager.pm line 143.
[Sat Jul 24 23:57:40 2021] [LLNG:1618] [error] No configuration available
Use of uninitialized value in subroutine entry at /usr/share/perl5/vendor_perl/Lemonldap/NG/Handler/Lib/PSGI.pm line 31.
Use of uninitialized value in subroutine entry at /usr/share/perl5/vendor_perl/Lemonldap/NG/Handler/Lib/PSGI.pm line 31.
Use of uninitialized value in subroutine entry at /usr/share/perl5/vendor_perl/Lemonldap/NG/Manager.pm line 143.
Use of uninitialized value in subroutine entry at /usr/share/perl5/vendor_perl/Lemonldap/NG/Manager.pm line 143.
Canāt use string ("") as a subroutine ref while āstrict refsā in use at /usr/share/perl5/vendor_perl/Lemonldap/NG/Manager.pm line 143.
[Sat Jul 24 23:57:41 2021] [LLNG:1621] [error] No configuration available
Use of uninitialized value in subroutine entry at /usr/share/perl5/vendor_perl/Lemonldap/NG/Handler/Lib/PSGI.pm line 31.
Use of uninitialized value in subroutine entry at /usr/share/perl5/vendor_perl/Lemonldap/NG/Handler/Lib/PSGI.pm line 31.
Use of uninitialized value in subroutine entry at /usr/share/perl5/vendor_perl/Lemonldap/NG/Manager.pm line 143.
Use of uninitialized value in subroutine entry at /usr/share/perl5/vendor_perl/Lemonldap/NG/Manager.pm line 143.
Canāt use string ("") as a subroutine ref while āstrict refsā in use at /usr/share/perl5/vendor_perl/Lemonldap/NG/Manager.pm line 143.
[Sat Jul 24 23:57:43 2021] [LLNG:1625] [error] No configuration available
Use of uninitialized value in subroutine entry at /usr/share/perl5/vendor_perl/Lemonldap/NG/Handler/Lib/PSGI.pm line 31.
Use of uninitialized value in subroutine entry at /usr/share/perl5/vendor_perl/Lemonldap/NG/Handler/Lib/PSGI.pm line 31.
Use of uninitialized value in subroutine entry at /usr/share/perl5/vendor_perl/Lemonldap/NG/Manager.pm line 143.
Use of uninitialized value in subroutine entry at /usr/share/perl5/vendor_perl/Lemonldap/NG/Manager.pm line 143.
Canāt use string ("") as a subroutine ref while āstrict refsā in use at /usr/share/perl5/vendor_perl/Lemonldap/NG/Manager.pm line 143.
[Sat Jul 24 23:57:45 2021] [LLNG:1628] [error] No configuration available
Use of uninitialized value in subroutine entry at /usr/share/perl5/vendor_perl/Lemonldap/NG/Handler/Lib/PSGI.pm line 31.
Use of uninitialized value in subroutine entry at /usr/share/perl5/vendor_perl/Lemonldap/NG/Handler/Lib/PSGI.pm line 31.
Use of uninitialized value in subroutine entry at /usr/share/perl5/vendor_perl/Lemonldap/NG/Manager.pm line 143.
Use of uninitialized value in subroutine entry at /usr/share/perl5/vendor_perl/Lemonldap/NG/Manager.pm line 143.
Canāt use string ("") as a subroutine ref while āstrict refsā in use at /usr/share/perl5/vendor_perl/Lemonldap/NG/Manager.pm line 143.