Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
documentation:latest:upgrade [2019/09/09 10:53]
coudot
documentation:latest:upgrade [2020/02/23 13:20] (current)
cmaudoux [Opening conditions]
Line 1: Line 1:
 ====== Upgrade from 2.0.x to 2.0.y ====== ====== Upgrade from 2.0.x to 2.0.y ======
- 
-Update from one minor version to another does not require any particular action except: 
-  * The Text::​Unidecode perl module becomes a requirement after version 2.0.5 //(it will be automatically installed if you upgrade from from the deb or RPM repositories)//​ 
-  * Since 2.0.5, CAS logout starts validating the service= parameter, but only if you use the CAS Access control policy. The URL sent in the service= parameter will be checked against [[idpcas#​configuring_cas_applications|known CAS applications]],​ Virtual Hosts, and  [[security#​configure_security_settings|trusted domains]]. Add your target domain to trusted domains if you suddenly start having "​Invalid URL" messages on logout 
-  * 2.0.5 adds some improvements in cryptographic functions. To take advantage of them, **you must change the encryption key** of LemonLDAP::​NG (see [[cli_examples#​encryption_key|CLI example]]). 
  
 Please apply general caution as you would with any software: have backups and a rollback plan ready! Please apply general caution as you would with any software: have backups and a rollback plan ready!
- 
-Do not forget to read the release notes of the version you are about to install for any specific instructions. 
  
 <note warning>​If you have [[installrpm|installed LemonLDAP::​NG from official RPMs]], you may run into bug [[https://​gitlab.ow2.org/​lemonldap-ng/​lemonldap-ng/​issues/​1757|#​1757]] and lose your Apache configuration files while updating from LemonLDAP::​NG 2.0.0 or 2.0.1 to later versions. Please backup your ''/​etc/​httpd/​conf.d/​z-lemonldap-ng-*.conf''​ files before the update.</​note>​ <note warning>​If you have [[installrpm|installed LemonLDAP::​NG from official RPMs]], you may run into bug [[https://​gitlab.ow2.org/​lemonldap-ng/​lemonldap-ng/​issues/​1757|#​1757]] and lose your Apache configuration files while updating from LemonLDAP::​NG 2.0.0 or 2.0.1 to later versions. Please backup your ''/​etc/​httpd/​conf.d/​z-lemonldap-ng-*.conf''​ files before the update.</​note>​
 +
 +===== 2.0.8 =====
 +
 +  * New dependency: Perl module Time::Fake is now required to run unit test and build packages, but should not be mandatory to run the software.
 +
 +===== 2.0.7 =====
 +
 +  * Security:
 +    * [[https://​gitlab.ow2.org/​lemonldap-ng/​lemonldap-ng/​issues/​2040|#​2040]]:​ Configuration of a redirection URI for an OpenID Connect Relying Party is now mandatory, as defined in the specifications. If you save your configuration,​ you will have an error if some of your RP don't have a redirect URI configured.
 +    * [[https://​gitlab.ow2.org/​lemonldap-ng/​lemonldap-ng/​issues/​1943|#​1943]] / [[https://​cve.mitre.org/​cgi-bin/​cvename.cgi?​name=CVE-2019-19791|CVE-2019-19791]]:​ along with the patch provided in 2.0.7 in ''​Lemonldap/​NG/​Common/​PSGI/​Request.pm'',​ Apache rewrite rule must be updated to avoid an unprotected access to REST services:
 +<​code>​portal-apache2.conf</​code>​
 +<file apache>
 +    RewriteCond "​%{REQUEST_URI}"​ "​!^/​(?:​(?:​static|javascript|favicon).*|.*\.fcgi(?:/​.*)?​)$"​
 +    RewriteRule "​^/​(.+)$"​ "/​index.fcgi/​$1"​ [PT]
 +</​file>​
 +<​code>​manager-apache2.conf</​code>​
 +<file apache>
 +    RewriteCond "​%{REQUEST_URI}"​ "​!^/​(?:​static|doc|lib|javascript|favicon).*"​
 +    RewriteRule "​^/​(.+)$"​ "/​manager.fcgi/​$1"​ [PT]
 +</​file>​
 +
 +  * Other:
 +    * Option ''​checkTime''​ was enabled by default in ''​lemonldap-ng.ini'',​ this let the portal check the configuration immediately instead of waiting for configuration cache expiration. You can keep this option enabled unless you need strong [[performances|performances]].
 +  * Removed parameters:
 +    * ''​samlIdPResolveCookie''​
 +
 +===== 2.0.6 =====
 +
 +  * Option was added to display generate password box in [[resetpassword|password reset by mail plugin]]. If you use this feature, you must enable this option, which is disabled by default.
 +  * If you use the default _whatToTrace macro and a case insensitive authentication backend, then a user can generate several persistent sessions for the same login (see [[https://​gitlab.ow2.org/​lemonldap-ng/​lemonldap-ng/​issues/​1869|issue 1869]]). This can lead to a security bug if you enabled 2FA, which rely on data stored in the persistent session. To fix this, either choose a unique attribute for _whatToTrace,​ either force lower case in your macro:
 +<code perl>
 +$_auth eq '​SAML'​ ? lc($_user.'​@'​.$_idpConfKey) : $_auth eq '​OpenIDConnect'​ ? lc($_user.'​@'​.$_oidc_OP) : lc($_user)
 +</​code>​
 +  * On CentOS 7 / RHEL 7, a system upgrade breaks ImageMagick,​ which is used to display captchas (see [[https://​gitlab.ow2.org/​lemonldap-ng/​lemonldap-ng/​issues/​1951|#​1951]]). To fix this, you can run the following commands:
 +<​code>​
 +yum install -y urw-base35-fonts-legacy
 +sed '​s,/​usr/​share/​fonts/​default/​Type1/,/​usr/​share/​X11/​fonts/​urw-fonts/,​g'​ -i /​etc/​ImageMagick/​type-ghostscript.xml
 +</​code>​
 +
 +===== 2.0.5 =====
 +
 +  * The Text::​Unidecode perl module becomes a requirement //(it will be automatically installed if you upgrade from from the deb or RPM repositories)//​
 +  * CAS logout starts validating the service= parameter, but only if you use the CAS Access control policy. The URL sent in the service= parameter will be checked against [[idpcas#​configuring_cas_applications|known CAS applications]],​ Virtual Hosts, and  [[security#​configure_security_settings|trusted domains]]. Add your target domain to trusted domains if you suddenly start having "​Invalid URL" messages on logout
 +  * Improvements in cryptographic functions: to take advantage of them, **you must change the encryption key** of LemonLDAP::​NG (see [[cli_examples#​encryption_key|CLI example]]).
 +  * Debian packaging: ​ FastCGI / uWsgi servers require llng-lmlog.conf and llng-lua-headers.conf. Those configuration files are now provided by lemonldap-ng-handler package and installed in /​etc/​nginx/​snippets directory.
 +
 +
  
 ====== Upgrade from 1.9 to 2.0 ====== ====== Upgrade from 1.9 to 2.0 ======
Line 99: Line 139:
   * some variable names have changed. See [[variables]] document   * some variable names have changed. See [[variables]] document
  
 +===== Opening conditions =====
 +
 +  * Rule and message fields have been switched. You have to modifiy and validate again your access rules.
 ===== Supported servers ===== ===== Supported servers =====