Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
documentation:latest:upgrade [2019/05/17 10:12]
maxbes warn users about rpm wiping config files, see 023cfb1de6042642baf532025e406f729e61a794 and #1757
documentation:latest:upgrade [2020/05/09 13:34] (current)
maxbes [2.0.8]
Line 1: Line 1:
 ====== Upgrade from 2.0.x to 2.0.y ====== ====== Upgrade from 2.0.x to 2.0.y ======
  
-Update from one minor version to another does not require any particular action. ​Please apply general caution as you would with any software: have backups and a rollback plan ready!+Please apply general caution as you would with any software: have backups and a rollback plan ready!
  
-Do not forget ​to read the release notes of the version ​you are about to install ​for any specific instructions.+<note warning>​If you have [[installrpm|installed LemonLDAP::​NG from official RPMs]], you may run into bug [[https://​gitlab.ow2.org/​lemonldap-ng/​lemonldap-ng/​issues/​1757|#​1757]] and lose your Apache configuration files while updating from LemonLDAP::​NG 2.0.0 or 2.0.1 to later versions. Please backup your ''/​etc/​httpd/​conf.d/​z-lemonldap-ng-*.conf''​ files before the update.</​note>​ 
 + 
 +===== 2.0.8 ===== 
 + 
 +  * New dependency: Perl module Time::Fake is now required to run unit test and build packages, but should ​not be mandatory ​to run the software. 
 +  * Nginx configuration:​ some changes are required to allow IPv6, see [[https://​gitlab.ow2.org/​lemonldap-ng/​lemonldap-ng/​issues/​2152|#​2152]] 
 +  * Option ''​singleSessionUserByIP''​ was removed, see [[https://​gitlab.ow2.org/​lemonldap-ng/​lemonldap-ng/​issues/​2159|#​2159]] 
 +  * A memory leak was found in perl-fcgi with Perl < 5.18, a workaround is possible with Apache and llng-fastcgi-server,​ see [[https://​gitlab.ow2.org/​lemonldap-ng/​lemonldap-ng/​issues/​1314|#​1314]] 
 +    * With Apache: set ''​FcgidMaxRequestsPerProcess 500''​ in portal virtual host 
 +    * With llng-fastcgi-server:​ set ''​PM_MAX_REQUESTS=500''​ in llng-fastcgi-server service configuration 
 +  * Cookie ''​SameSite''​ value: to avoid problems with recent browsers, SAML POST binding, LLNG cookies are now tagged as "​**SameSite=None**"​. You can change this value using manager, "​**SameSite=Lax**"​ is best for installations without federations. **Important note**: if you're using an unsecured connection //<​nowiki>​(http://​ instead ​of https://​)</​nowiki>//,​ "​SameSite=None"​ will be ignored by browsers and users that already have a valid session might be prompted to login again. 
 +  * OAuth2.0 Handler: a VHost protected by the OAuth2.0 handler will now return a 401 when called without an Access Token, instead of redirecting to the portal, as specified by [[https://​tools.ietf.org/​html/​rfc6750|RFC6750]] 
 + 
 +  * If you encounter the following issue: 
 +<​code>​ 
 +AH01630: client denied by server configuration:​ /​usr/​share/​lemonldap-ng/​manager/​api/​api.fcgi 
 +</​code>​ 
 +when trying ​to access the portal. It probably comes from incorrect Apache configuration. Remove the (optional and disabled by default) manager API config:  
 +<​code>​ 
 +rm /​etc/​httpd/​conf.d/​z-lemonldap-ng-api.conf && systemctl reload httpd 
 +</​code>​ 
 +===== 2.0.7 ===== 
 + 
 +  * Security: 
 +    * [[https://​gitlab.ow2.org/​lemonldap-ng/​lemonldap-ng/​issues/​2040|#​2040]]:​ Configuration of a redirection URI for an OpenID Connect Relying Party is now mandatory, as defined in the specifications. If you save your configuration,​ you will have an error if some of your RP don't have a redirect URI configured. 
 +    * [[https://​gitlab.ow2.org/​lemonldap-ng/​lemonldap-ng/​issues/​1943|#​1943]] / [[https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2019-19791|CVE-2019-19791]]:​ along with the patch provided in 2.0.7 in ''​Lemonldap/​NG/​Common/​PSGI/​Request.pm'',​ Apache rewrite rule must be updated to avoid an unprotected access to REST services: 
 +<​code>​portal-apache2.conf</​code>​ 
 +<file apache>​ 
 +    RewriteCond "​%{REQUEST_URI}"​ "​!^/​(?:​(?:​static|javascript|favicon).*|.*\.fcgi(?:/​.*)?​)$"​ 
 +    RewriteRule "​^/​(.+)$"​ "/​index.fcgi/​$1"​ [PT] 
 +</​file>​ 
 +<​code>​manager-apache2.conf</​code>​ 
 +<file apache>​ 
 +    RewriteCond "​%{REQUEST_URI}"​ "​!^/​(?:​static|doc|lib|javascript|favicon).*"​ 
 +    RewriteRule "​^/​(.+)$"​ "/​manager.fcgi/​$1"​ [PT] 
 +</​file>​ 
 + 
 +  * Other: 
 +    * Option ''​checkTime''​ was enabled by default in ''​lemonldap-ng.ini'',​ this let the portal check the configuration immediately instead of waiting for configuration cache expiration. You can keep this option enabled unless you need strong [[performances|performances]]. 
 +  * Removed parameters:​ 
 +    * ''​samlIdPResolveCookie''​ 
 + 
 +===== 2.0.6 ===== 
 + 
 +  * Option was added to display generate password box in [[resetpassword|password reset by mail plugin]]. If you use this feature, you must enable this option, which is disabled by default. 
 +  * If you use the default _whatToTrace macro and a case insensitive authentication backend, then a user can generate several persistent sessions for the same login (see [[https://​gitlab.ow2.org/​lemonldap-ng/​lemonldap-ng/​issues/​1869|issue 1869]]). This can lead to a security bug if you enabled 2FA, which rely on data stored in the persistent session. To fix this, either choose a unique attribute for _whatToTrace,​ either force lower case in your macro: 
 +<code perl> 
 +$_auth eq '​SAML'​ ? lc($_user.'​@'​.$_idpConfKey) : $_auth eq '​OpenIDConnect'​ ? lc($_user.'​@'​.$_oidc_OP) : lc($_user) 
 +</​code>​ 
 +  * On CentOS 7 / RHEL 7, a system upgrade breaks ImageMagick,​ which is used to display captchas (see [[https://​gitlab.ow2.org/​lemonldap-ng/​lemonldap-ng/​issues/​1951|#​1951]]). To fix this, you can run the following commands: 
 +<​code>​ 
 +yum install -y urw-base35-fonts-legacy 
 +sed '​s,/​usr/​share/​fonts/​default/​Type1/,/​usr/​share/​X11/​fonts/​urw-fonts/,​g'​ -i /​etc/​ImageMagick/​type-ghostscript.xml 
 +</​code>​ 
 + 
 +===== 2.0.5 ===== 
 + 
 +  * The Text::​Unidecode perl module becomes a requirement //(it will be automatically installed if you upgrade from from the deb or RPM repositories)//​ 
 +  * CAS logout starts validating the service= parameter, but only if you use the CAS Access control policy. The URL sent in the service= parameter will be checked against [[idpcas#​configuring_cas_applications|known CAS applications]],​ Virtual Hosts, and  [[security#​configure_security_settings|trusted domains]]. Add your target domain to trusted domains if you suddenly start having "​Invalid URL" messages on logout 
 +  * Improvements in cryptographic functions: to take advantage of them, **you must change the encryption key** of LemonLDAP::​NG (see [[cli_examples#​encryption_key|CLI example]]). 
 +  * Debian packaging: ​ FastCGI / uWsgi servers require llng-lmlog.conf and llng-lua-headers.conf. Those configuration files are now provided by lemonldap-ng-handler package and installed in /​etc/​nginx/​snippets directory.
  
-===== RPM users ===== 
  
-If you have [[installrpm|installed LemonLDAP::​NG from official RPMs]], you may run into bug [[https://​gitlab.ow2.org/​lemonldap-ng/​lemonldap-ng/​issues/​1757|#​1757]] and lose your Apache configuration files while updating from LemonLDAP::​NG 2.0.0 or 2.0.1 to later versions. Please backup your ''/​etc/​httpd/​conf.d/​z-lemonldap-ng-*.conf''​ files before the update. 
  
 ====== Upgrade from 1.9 to 2.0 ====== ====== Upgrade from 1.9 to 2.0 ======
Line 96: Line 154:
   * some variable names have changed. See [[variables]] document   * some variable names have changed. See [[variables]] document
  
 +===== Opening conditions =====
 +
 +  * Rule and message fields have been swaped. You have to modifiy and validate again your access rules.
 ===== Supported servers ===== ===== Supported servers =====