@danb35 ive just checked on normal nethserver running /root/lemon_config.sh and it gives me the same errors
Confirmed (what would I do without VMs?), itâs now doing the same for meâmust be a change in 2.0.12. Letâs see what the LLNG mailing list says.
makes sense i didnt even think of that
Whatâs really strange is that the info
command worksâso it knows where the config file is and can read it:
[root@nethtest ~]# /usr/libexec/lemonldap-ng/bin/lemonldap-ng-cli info
Num : 1
Author : The LemonLDAP::NG team
Author IP: No IP provided
Date : Wed Dec 31 19:00:00 1969
Version : 2.0.12
Log : No log provided
But as soon as you try to change something, it dies:
[root@nethtest ~]# /usr/libexec/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 delKey applicationList 1sample
[Sun Jul 25 21:26:25 2021] [LLNG:12657] [error] No configuration available
Use of uninitialized value in subroutine entry at /usr/share/perl5/vendor_perl/Lemonldap/NG/Handler/Lib/PSGI.pm line 31, <FILE> line 1.
Use of uninitialized value in subroutine entry at /usr/share/perl5/vendor_perl/Lemonldap/NG/Handler/Lib/PSGI.pm line 31, <FILE> line 1.
Use of uninitialized value in subroutine entry at /usr/share/perl5/vendor_perl/Lemonldap/NG/Manager.pm line 143.
Use of uninitialized value in subroutine entry at /usr/share/perl5/vendor_perl/Lemonldap/NG/Manager.pm line 143.
Can't use string ("") as a subroutine ref while "strict refs" in use at /usr/share/perl5/vendor_perl/Lemonldap/NG/Manager.pm line 143.
And as far as its help output shows, thereâs no way to direct it to a particular directory for the config files, other than to point it to a different lemonldap-ng.ini
file. That file is in /etc/lemonldap-ng/
, same as before, and it specifies the same location for the config files as beforeâso Iâm a little puzzled.
Iâm away from my LAN for the next few days, though Iâll have occasional VPN accessâbut I may be a little slower checking this out than Iâd like to be.
could it be a permission thing or for the moment go back to the older version
Good thought, but (1) thatâs a very misleading error if permissions are the issue; (2) it should run as the apache
user, who owns the relevant directory and file; and (3) I still get the same error even with the directory/file permissions changed to 777/666 respectively.
difference between v1.9 and 2 lemonldap-ng.ini
=v1 and +=v2@@ -11,6 +11,9 @@
; Section âconfigurationâ is used to load global configuration and set cache
; (replace old storage.conf file)
;
not Present in v1; Section âapplyâ is read by Manager to reload handlers
not Present in v1; (replace old apply.conf file)
not Present in v1;
; Other section are only read by the specific LemonLDAP::NG component
;==============================================================================
=v1 and +=v2@@ -18,9 +21,6 @@
; CUSTOM FUNCTION
; If you want to create customFunctions in rules, declare them here:
not Present in v2;require = Package
not Present in v2; Prevent Portal to crash if Perl module is not found
not Present in v2;requireDontDie = 1
;customFunctions = function1 function2
;customFunctions = Package::func1 Package::func2
=v1 and +=v2@@ -34,105 +34,26 @@
; Warning: this can allow malicious code in custom functions or rules
;useSafeJail = 0
not Present in v2; LOGGING
not Present in v2;
not Present in v2; 1 - Defined logging level
not Present in v2; Set here one of error, warn, notice, info or debug
not Present in v2-logLevel = warn
not Present in v2; Note that this has no effect for Apache2 logging: Apache LogLevel is used
not Present in v2; instead
not Present in v2;
not Present in v2; 2 - Change logger
not Present in v2;
not Present in v2; By default, logging is set to:
not Present in v2; - Lemonldap::Common::Logger::Apache2 for ApacheMP2 handlers
not Present in v2; - Lemonldap::Common::Logger::Syslog for FastCGI (Nginx)
not Present in v2; - Lemonldap::Common::Logger::Std for PSGI applications (manager,
not Present in v2; portal,âŚ) when they are not
not Present in v2; launched by FastCGI server
not Present in v2; Other loggers availables:
not Present in v2; - Lemonldap::Common::Logger::Log4perl to use Log4perl
not Present in v2;
not Present in v2; âStdâ is redirected to the web server logs for Apache. For Nginx, only if
not Present in v2; request failed
not Present in v2;
not Present in v2; You can overload this in this section (for all) or in another section if
not Present in v2; you want to change logger for a specified app.
not Present in v2;
not Present in v2; LLNG uses 2 loggers: 1 for technical logs (logger), 1 for user actions
not Present in v2; (userLogger). âuserLoggerâ uses the same class as âloggerâ if not set.
not Present in v2;logger = Lemonldap::Common::Logger::Syslog
not Present in v2;userLogger = Lemonldap::Common::Logger::Log4perl
not Present in v2;
not Present in v2; 2.1 - Using Syslog
not Present in v2;
not Present in v2; For Syslog logging, you can also overwrite facilities. Default values:
not Present in v2;logger = Lemonldap::Common::Logger::Syslog
not Present in v2;syslogFacility = daemon
not Present in v2;syslogOptions = cons,pid,ndelay
not Present in v2;userSyslogFacility = auth
not Present in v2;userSyslogOptions = cons,pid,ndelay
not Present in v2;
not Present in v2; 2.2 - Using Log4perl
not Present in v2;
not Present in v2; If you want to use Log4perl, you can set these parameters. Here are default
not Present in v2; values:
not Present in v2;logger = Lemonldap::Common::Logger::Log4perl
not Present in v2;log4perlConfFile = /etc/log4perl.conf
not Present in v2;log4perlLogger = LLNG
not Present in v2;log4perlUserLogger = LLNG.user
not Present in v2;
not Present in v2; Here, Log4perl configuration is read from /etc/log4perl.conf. The âLLNGâ
not Present in v2; value points to the logger class. Example:
not Present in v2; log4perl.logger.LLNG = WARN, File1
not Present in v2; log4perl.logger.LLNG.user = INFO, File2
not Present in v2; âŚ
not Present in v2; CONFIGURATION CHECK
not Present in v2;
not Present in v2; LLNG verify configuration at server start. If you use âreloadâ mechanism,
not Present in v2; local cache will be updated. Configuration is checked locally every
not Present in v2; 10 minutes by each LLNG component. You can change this value using
not Present in v2; checkTime
(time in seconds).
not Present in v2; To increase performances, you should comment this parameter and rely on cache.
not Present in v2-checkTime = 1
[configuration]
not Present in v2; confTimeout: maximum time to get configuration (default 10)
not Present in v2;confTimeout = 5
; GLOBAL CONFIGURATION ACCESS TYPE
not Present in v2; (File, REST, SOAP, CDBI/RDBI, LDAP, YAMLFile)
not Present in v1; (File, SOAP, RDBI/CDBI, LDAP)
; Set here the parameters needed to access to LemonLDAP::NG configuration.
; You have to set âtypeâ to one of the followings :
;
not Present in v2; * File/YAMLFile: you have to set âdirNameâ parameter. Example:
not Present in v2;
not Present in v2; type = File ; or type = YAMLFile
not Present in v1; * File: you have to set âdirNameâ parameter. Example:
not Present in v1;
not Present in v1; type = File
; dirName = /var/lib/lemonldap-ng/conf
not Present in v2; ; Optimize JSON for readability instead of performance
not Present in v2; prettyPrint = 1
not Present in v2;
not Present in v2; * CDBI/RDBI : you have to set âdbiChainâ (required) and âdbiUserâ and âdbiPasswordâ
not Present in v1;
not Present in v1; * RDBI/CDBI : you have to set âdbiChainâ (required) and âdbiUserâ and âdbiPasswordâ
; if needed. Example:
;
not Present in v2; type = CDBI
not Present in v2; ;type = RDBI
not Present in v2; dbiChain = DBI:MariaDB:database=lemonldap-ng;host=1.2.3.4
not Present in v1; type = RDBI
not Present in v1; ;type = CDBI
not Present in v1; dbiChain = DBI:mysql:database=lemonldap-ng;host=1.2.3.4
; dbiUser = lemonldap
; dbiPassword = password
not Present in v2;
not Present in v2; * REST: REST configuration access is a sort of proxy: the portal is
not Present in v2; configured to use the real session storage type (DBI or File for
not Present in v2; example).
not Present in v2; You have to set âbaseUrlâ parameter. Example:
not Present in v2;
not Present in v2; type = REST
not Present in v2; baseUrl = https://auth.example.com/config
not Present in v2; proxyOptions = { timeout => 5 }
not Present in v2; User = lemonldap
not Present in v2; Password = mypassword
;
; * SOAP: SOAP configuration access is a sort of proxy: the portal is
; configured to use the real session storage type (DBI or File for
=v1 and +=v2@@ -140,7 +61,7 @@
; You have to set âproxyâ parameter. Example:
;
; type = SOAP
not Present in v2; proxy = https://auth.example.com/config
not Present in v1; proxy = https://auth.example.com/index.pl/config
; proxyOptions = { timeout => 5 }
; User = lemonldap
; Password = mypassword
=v1 and +=v2@@ -158,8 +79,6 @@
type=File
dirName=/var/lib/lemonldap-ng/conf
not Present in v2; Optimize for readability instead of performance
not Present in v2-prettyPrint = 1
; LOCAL CACHE CONFIGURATION
;
=v1 and +=v2@@ -171,35 +90,27 @@
; ânamespaceâ => âlemonldap-ng-configâ,
; âdefault_expires_inâ => 600,
; âdirectory_umaskâ => â007â,
not Present in v2; âcache_rootâ => âCACHEDIRâ,
not Present in v2; âcache_depthâ => 3,
not Present in v1; âcache_rootâ => â/tmpâ,
not Present in v1; âcache_depthâ => 0,
; }
localStorage=Cache::FileCache
localStorageOptions={
ânamespaceâ => âlemonldap-ng-configâ,
âdefault_expires_inâ => 600,
âdirectory_umaskâ => â007â,
not Present in v2- âcache_rootâ => âCACHEDIRâ,
not Present in v2- âcache_depthâ => 3,
not Present in v1+ âcache_rootâ => â/tmpâ,
not Present in v1+ âcache_depthâ => 0,
}
[portal]
not Present in v1; PERFORMANCES
not Present in v1; By setting useLocalConf, Portal will use only local cached configuration
not Present in v1; To refresh it, you must have an handler on the same server or you have to
not Present in v1; restart your server. This increase performances
not Present in v1;useLocalConf = 1
+
; PORTAL CUSTOMIZATION
not Present in v2; I - Required parameters
not Present in v2; staticPrefix: relative (or URL) location of static HTML components
not Present in v2-staticPrefix = PORTALSTATICDIR
not Present in v2; location of HTML templates directory
not Present in v2-templateDir = PORTALTEMPLATESDIR
not Present in v2; languages: available languages for portal interface
not Present in v2-languages = en, fr, vi, it, ar, de, fi, tr, pl, zh_TW, es
not Present in v2; II - Optional parameters (overwrite configuration)
; Name of the skin
;portalSkin = pastel
; Modules displayed
=v1 and +=v2@@ -218,20 +129,19 @@
; Override error codes
;error_0 = You are well authenticated!
; Custom template parameters
not Present in v2; For example to use <TMPL_VAR NAME=âmyparamâ>
not Present in v1; For example to use <TMPL_VAR NAME=âmyparamâ>
;tpl_myparam = test
not Present in v2; COMBINATION FORMS
not Present in v2; If you want to fix forms to display, you can use this;
not Present in v2;combinationForms = standardform, yubikeyform
not Present in v1; LOG
not Present in v1; By default, all is logged in Apache file. To log user actions by
not Present in v1; syslog, just set syslog facility here:
;syslog = auth
; SOAP FUNCTIONS
; Remove comment to activate SOAP Functions getCookies(user,pwd) and
; error(language, code)
;Soap = 1
; Note that getAttibutes() will be activated but on a different URI
not Present in v2; (http://auth.example.com/sessions)
not Present in v1; (http://auth.example.com/index.pl/sessions)
; You can also restrict attributes and macros exported by getAttributes
;exportedAttr = uid mail
=v1 and +=v2@@ -288,11 +198,11 @@
; Use it to be able to notify messages during authentication
;notification = 1
; Note that the SOAP function newNotification will be activated on
not Present in v2; http://auth.example.com/notification
not Present in v2; If you want to hide this, just protect â/index.fcgi/notificationâ in
not Present in v1; http://auth.example.com/index.pl/notification
not Present in v1; If you want to hide this, just protect â/index.pl/notificationâ in
; your Apache configuration file
; XSS protection bypass
not Present in v2; By default, the portal refuses redirections that come from sites not
not Present in v1; By default, the portal refuse redirections that comes from sites not
; registered in the configuration (manager) except for those coming
; from trusted domains. By default, trustedDomains contains the domain
; declared in the manager. You can set trustedDomains to empty value so
=v1 and +=v2@@ -305,21 +215,6 @@
; Set to 0 to disable error on XSS attack detection
;checkXSS = 0
not Present in v2; pdata cookie domain
not Present in v2; pdata cookie could not be sent with cross domains AJAX request
not Present in v2; Null is default value
not Present in v2;pdataDomain = example.com
not Present in v2; CUSTOM PLUGINS
not Present in v2; If you want to add custom plugins, set list here (comma separated)
not Present in v2; Read Lemonldap::Portal::Main::Plugin(3pm) man page.
not Present in v2;customPlugins = ::My::Package1, ::My::Package2
not Present in v2; To avoid bad/expired OTT if âauthsslâ and âauthâ are served by different Load Balancers
not Present in v2; you can override OTT configuration to store Upgrade or Issuer OTT into global storage
not Present in v2;forceGlobalStorageUpgradeOTT = 1
not Present in v2;forceGlobalStorageIssuerOTT = 1
[handler]
; Handler cache configuration
=v1 and +=v2@@ -329,7 +224,7 @@
; ânamespaceâ => âlemonldap-ng-sessionsâ,
; âdefault_expires_inâ => 600,
; âdirectory_umaskâ => â007â,
not Present in v2; âcache_rootâ => âCACHEDIRâ,
not Present in v1; âcache_rootâ => â/tmpâ,
; âcache_depthâ => 3,
; }
=v1 and +=v2@@ -347,10 +242,6 @@
;useRedirectOnForbidden = 1
; Hide LemonLDAP::NG Handler in Apache Server Signature
;hideSignature = 1
not Present in v2; Set ServiceToken timeout
not Present in v2;handlerServiceTokenTTL = 30
not Present in v2; Set Impersonation/ContextSwitching prefix
not Present in v2; impersonationPrefix = real_
useRedirectOnError = 1
; Zimbra Handler parameters
=v1 and +=v2@@ -374,39 +265,21 @@
; * none : no protection
protection = manager
not Present in v1; logLevel. Set here one of error, warn, notice, info or debug
not Present in v1+logLevel = warn
+
; staticPrefix: relative (or URL) location of static HTML components
staticPrefix = MANAGERSTATICDIR
;
not Present in v2; instanceName: Display current LLNG instance into Manager
not Present in v2;instanceName = Demo
; location of HTML templates directory
templateDir = MANAGERTEMPLATESDIR
; languages: available languages for manager interface
not Present in v2-languages = en, fr, it, vi, ar, tr, pl, zh_TW, es
not Present in v1+languages = fr, en
; Manager modules enabled
; Set here the list of modules you want to see in manager interface
; The first will be used as default module displayed
not Present in v2;enabledModules = conf, sessions, notifications, 2ndFA, viewer
not Present in v2-enabledModules = conf, sessions, notifications, 2ndFA
not Present in v2; To avoid restricted users to edit configuration, defaulModule MUST be different than âconfâ
not Present in v2; âconfâ is set by default
not Present in v2;defaultModule = viewer
not Present in v2; Viewer module allows us to edit configuration in read-only mode
not Present in v2; Options can be set with specific rules like this :
not Present in v2;viewerAllowBrowser = $uid eq âdwhoâ
not Present in v2;viewerAllowDiff = $uid ne âdwhoâ
not Present in v2;
not Present in v2; Viewer options - Default values
not Present in v2;viewerHiddenKeys = samlIDPMetaDataNodes samlSPMetaDataNodes managerPassword ManagerDn globalStorageOptions persistentStorageOptions
not Present in v2;viewerAllowBrowser = 0
not Present in v2;viewerAllowDiff = 0
not Present in v2;[node-handler]
not Present in v2;
not Present in v2;This section is for node-lemonldap-ng-handler
not Present in v2;nodeVhosts = test3.example.com, test4.example.com
not Present in v1+enabledModules = conf, sessions, notifications
+
what was the last version it was working in was it 1.9 or 2.0.11
Edit: nevermind I checked the got repo Iâm going to manually install 2.0.11 then install nethserver-lemonldap-ng get it working then try and get 2.0.12 working and Mabey create some scripts like your /root/lemon-config.sh to automate the process of setting up the saml plugins in the apps and propergating the configuration
ok i manualy downloaded and installed version 2.0.11 ran /root/lemon_config.sh i did still get this error
Test AuthChoiceParams failed: Can\'t use an undefined value as a HASH reference at /usr/share/perl5/vendor_perl/Lemonldap/NG/Manager/Conf/Tests.pm line 972, <FILE> line 1
and it didnt render the background and logo (iâll look in to that later)
but i can say we have sso on raspberry pi
ok fixed a dependency now we have
i setup education perfect and I can confirm it successfully works
Iâd also like to state this is running on a 32g ad I donât have many users itâs running really well Iâm sure with M2 Sata ssd it would be very quick
OK, hereâs the problem:
Looks easy enough to fix in the config script. More to follow.
Edit: Iâm still going to need to get this into the templates and build a new RPM, but you should be able to add this starting on line 18 of lemon_config.sh
:
# Check for cfgDate property and add if missing
# See https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2566
if ! grep cfgDate /var/lib/lemonldap-ng/conf/lmConf-1.json; then
echo "Adding cfgDate property to lmConf-1.json"
sed -i "88 a \"cfgDate\": \"$( date +%s )\"," /var/lib/lemonldap-ng/conf/lmConf-1.json
fi
Edit 2: Updated RPM is in the repo.
I did; itâs deployed on a Raspberry Pi. I started by following these instructions:
And then added SSH certificate support to it using:
https://www.familybrown.org/dokuwiki/doku.php?id=advanced:ssh_conversion
So far, it seems to be working pretty well. Host certificates mean that my known_hosts
files are shrinking dramatically, and user certs mean that authorized_keys
is also shrinking.
Getting a user cert that covers multiple usernames is a little awkward, so I set up a shell alias to make it a single command.
Right now, it works well for me on Linux and macOS, but not Windows. Not a big problem for me, as I use my Macs most of the time, but Iâd like to figure out where the problem is with Windows too.
can confirm it works
then maybe its time for me to get a raspberry pi, seems many of you guys are going the resp route on majority of the setup that are been done.
In my case, to be clear, Iâm only running the CA on the Pi. I think having it on a standalone device, set up as described in that article, makes for a pretty secure local CA. It seems LLNG can be made to run in a Pi, and Neth certainly can, but I havenât worked with either of those as yet.
At the moment Iâd say itâs more proof of concept not saying it wouldnât be reliable definitely needs more stress testing Iâve only got about 5 users mine is working very reliable although itâs only been live for about a week and lemon-ldap-ng about 2 days
well for me, since most of my deployment are virtualised, and i dont really have raspberry pi physically, since they are harder to get here in the country than just getting a normal computer. i guess most pi related things i cant really test and work on. i can only hop for debian, ubuntu or Nethserver (rhel) related documentations and tutorials.
You could run pi in a virtual machine
how, is that doable. is there an openstack option for the same?
i see most are for vmware and virtualbox
I did download a pre-made debian virtual machine but have a look here
Emulate raspberry pi as for open stack I know thereâs lots of how-to running openstack on pi but not the other way around Iâll do some digging to find out what would be involved in creating a virtual stack VM might be able to build one
i have many asus thin clients i got at about $10 maybe i can see how to natively isntall the raspberyr pi on it. since its got small internet storage and ram 4 GB RAM and 60 GB HDD,