1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
|
<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
<meta charset="utf-8" />
<title>documentation:1.9:upgrade</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,1.9,upgrade"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="upgrade.html"/>
<link rel="contents" href="upgrade.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="lib/exe/css.php.t.bootstrap3.css"/>
<!-- //if:usedebianlibs
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:1.9';var JSINFO = {"id":"documentation:1.9:upgrade","namespace":"documentation:1.9"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="lib/exe/js.php.t.bootstrap3.js"></script>
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/lib/scripts/jquery-ui.min.js"></script>
//else -->
<script type="text/javascript" src="/lib/scripts/jquery-ui.js"></script>
<!-- //endif -->
</head>
<body>
<div class="dokuwiki export container">
<!-- TOC START -->
<div id="dw__toc">
<h3 class="toggle">Table of Contents</h3>
<div>
<ul class="toc">
<li class="level1"><div class="li"><a href="#json_serialization">JSON serialization</a></div></li>
<li class="level1"><div class="li"><a href="#avoid_using_lmconfigeditor_during_upgrade">Avoid using lmConfigEditor during upgrade</a></div></li>
<li class="level1"><div class="li"><a href="#migration_of_old_configuration">Migration of old configuration</a></div></li>
<li class="level1"><div class="li"><a href="#portal_autocomplete_configuration">Portal autocomplete configuration</a></div></li>
<li class="level1"><div class="li"><a href="#support_for_centosrhel_5_and_centosrhel_6_dropped">Support for CentOS/RHEL 5 and CentOS/RHEL 6 dropped</a></div></li>
<li class="level1"><div class="li"><a href="#manager_components_protection">Manager components protection</a></div></li>
<li class="level1"><div class="li"><a href="#ajax_unauthenticated_requests_in_handler">AJAX unauthenticated requests in handler</a></div></li>
<li class="level1"><div class="li"><a href="#persistent_sessions">Persistent sessions</a></div></li>
<li class="level1"><div class="li"><a href="#multi_backend">Multi backend</a></div></li>
<li class="level1"><div class="li"><a href="#specific_handler">Specific Handler</a></div></li>
<li class="level1"><div class="li"><a href="#saml_conditions_checking">SAML conditions checking</a></div></li>
</ul>
</div>
</div>
<!-- TOC END -->
<h1 class="sectionedit1" id="upgrade_from_14_to_19">Upgrade from 1.4 to 1.9</h1>
<div class="level1">
</div>
<!-- EDIT1 SECTION "Upgrade from 1.4 to 1.9" [1-39] -->
<h2 class="sectionedit2" id="json_serialization">JSON serialization</h2>
<div class="level2">
<p>
From now, LemonLDAP::NG uses JSON serialization to store configuration and sessions instead of <code>Storable::nfreeze</code> Perl function. This permits to have heterogenous servers connected to the same <abbr title="LemonLDAP::NG">LL::NG</abbr> organization <em>(32/64 bits or different Perl versions)</em>. Old format still works but:
</p>
<ul>
<li class="level1"><div class="li"> configuration backends: new format is applied at first configuration save,</div>
</li>
<li class="level1"><div class="li"> sessions storages: new format is applied for each new session or when updating an existing session. You can force LemonLDAP::NG to keep the old serialization method by setting <code>useStorable</code> to 1 in sessions backend options if you have some custom hooks.</div>
</li>
</ul>
<div class="noteimportant">If you have more than one server and don't want to stop the <abbr title="Single Sign On">SSO</abbr> service, start upgrading in the following order:<ul>
<li class="level1"><div class="li"> servers that have only handlers;</div>
</li>
<li class="level1"><div class="li"> portal servers (all together if your load balancer doesn't keep state by user or client <abbr title="Internet Protocol">IP</abbr> and if users use the menu);</div>
</li>
<li class="level1"><div class="li"> manager server</div>
</li>
</ul>
</div>
</div>
<!-- EDIT2 SECTION "JSON serialization" [40-1018] -->
<h2 class="sectionedit3" id="avoid_using_lmconfigeditor_during_upgrade">Avoid using lmConfigEditor during upgrade</h2>
<div class="level2">
<p>
Some attributes may be removed during each upgrade. Since 1.9, saving is rejected if an attribute isn't declared in manager structure. So don't use lmConfigEditor during upgrade unless you know exactly which changes have been done.
</p>
</div>
<!-- EDIT3 SECTION "Avoid using lmConfigEditor during upgrade" [1019-1306] -->
<h2 class="sectionedit4" id="migration_of_old_configuration">Migration of old configuration</h2>
<div class="level2">
<p>
Old configuration format is compatible with current version. It will be converted to new format at first save. But you need to check all non-<abbr title="American Standard Code for Information Interchange">ASCII</abbr> values that may have been registered with ISO instead of Unicode. You must convert them before saving the new configuration.
</p>
</div>
<!-- EDIT4 SECTION "Migration of old configuration" [1307-1623] -->
<h2 class="sectionedit5" id="portal_autocomplete_configuration">Portal autocomplete configuration</h2>
<div class="level2">
<p>
Modern browsers do not take into account the autocomplete attribute in password fields anymore. This means even if you don't want users to remember the password, the browser will still propose it.
</p>
<p>
As it was not used anymore, this option is now removed. See <a href="https://jira.ow2.org/browse/LEMONLDAP-824" class="urlextern" title="https://jira.ow2.org/browse/LEMONLDAP-824" rel="nofollow">https://jira.ow2.org/browse/LEMONLDAP-824</a> for more details.
</p>
</div>
<!-- EDIT5 SECTION "Portal autocomplete configuration" [1624-1993] -->
<h2 class="sectionedit6" id="support_for_centosrhel_5_and_centosrhel_6_dropped">Support for CentOS/RHEL 5 and CentOS/RHEL 6 dropped</h2>
<div class="level2">
<p>
Due to a too old Perl version and some missing modules, <abbr title="LemonLDAP::NG">LL::NG</abbr> is no more available for CentOS/RHEL 5 and 6. You need CentOS/RHEL 7 or a Debian based box to run this version of <abbr title="LemonLDAP::NG">LL::NG</abbr>.
</p>
</div>
<!-- EDIT6 SECTION "Support for CentOS/RHEL 5 and CentOS/RHEL 6 dropped" [1994-2244] -->
<h2 class="sectionedit7" id="manager_components_protection">Manager components protection</h2>
<div class="level2">
<p>
You can no more set up a different <code>protection</code> parameter for sessions explorer and configuration management. The <code>protection</code> is used for all components, but can use access rules to manage authorizations between configuration, notifications and sessions:
</p>
<pre class="code perl"><span class="sy0">^</span><span class="co2">/(manager\.html|conf/</span><span class="br0">)</span> <span class="sy0">=></span> <span class="re0">$uid</span> <span class="kw1">eq</span> <span class="st0">"dwho"</span>
default <span class="sy0">=></span> <span class="re0">$uid</span> <span class="kw1">eq</span> <span class="st0">"dwho"</span> <span class="kw1">or</span> <span class="re0">$uid</span> <span class="kw1">eq</span> <span class="st0">"rtyler"</span> </pre>
</div>
<!-- EDIT7 SECTION "Manager components protection" [2245-2657] -->
<h2 class="sectionedit8" id="ajax_unauthenticated_requests_in_handler">AJAX unauthenticated requests in handler</h2>
<div class="level2">
<p>
To request for authentication, handlers sent a 302 HTTP code, then portal sent the <abbr title="HyperText Markup Language">HTML</abbr> form even if request was an Ajax one. From now, after being redirected by the Handler, a 401 code will be sent by the portal with a <code>WWW-Authenticate</code> header containing “<abbr title="Single Sign On">SSO</abbr> <portal-<abbr title="Uniform Resource Locator">URL</abbr>>”. This is a little HTTP protocol hook created because browsers follow redirection transparently and we have to respond to JSON queries by JSON.
</p>
<p>
If you want to keep old behavior, set <code>noAjaxHook</code> to 1 (in General Parameters → Advanced → Portal redirections → Keep redirections for Ajax).
</p>
</div>
<!-- EDIT8 SECTION "AJAX unauthenticated requests in handler" [2658-3282] -->
<h2 class="sectionedit9" id="persistent_sessions">Persistent sessions</h2>
<div class="level2">
<p>
Persistent sessions have a new attributes:
</p>
<ul>
<li class="level1"><div class="li"> <code>_session_uid</code>: real user identifier</div>
</li>
<li class="level1"><div class="li"> <code>_utime</code>: creation timestamp</div>
</li>
</ul>
<p>
These attributes allow to browse them in the sessions explorer. Old persistent sessions will automatically get these new attributes at user connexion.
</p>
</div>
<!-- EDIT9 SECTION "Persistent sessions" [3283-3589] -->
<h2 class="sectionedit10" id="multi_backend">Multi backend</h2>
<div class="level2">
<p>
The <a href="authmulti.html" class="wikilink1" title="documentation:1.9:authmulti">Multi backend</a> configuration has changed. Now the stacks are defined in separate attributes:
</p>
<ul>
<li class="level1"><div class="li"> multiAuthStack</div>
</li>
<li class="level1"><div class="li"> multiUserDBStack</div>
</li>
</ul>
<p>
So an old configuration like this:
</p>
<pre class="file">authentication = Multi LDAP;DBI
userDB = Multi LDAP;DBI</pre>
<p>
Must be replaced by:
</p>
<pre class="file">authentication = Multi
userDB = Multi
multiAuthStack = LDAP;DBI
multiUserDBStack = LDAP;DBI</pre>
</div>
<!-- EDIT10 SECTION "Multi backend" [3590-4003] -->
<h2 class="sectionedit11" id="specific_handler">Specific Handler</h2>
<div class="level2">
<p>
Handler <abbr title="Application Programming Interface">API</abbr> has changed and specific Handlers have been rewritten. They still work but their configuration must be set in <code>lemonldap-ng.ini</code> file instead of Manager. More details:
</p>
<ul>
<li class="level1"><div class="li"> <a href="applications/zimbra.html" class="wikilink1" title="documentation:1.9:applications:zimbra">Zimbra</a></div>
</li>
<li class="level1"><div class="li"> <a href="securetoken.html" class="wikilink1" title="documentation:1.9:securetoken">Secure Token</a></div>
</li>
<li class="level1"><div class="li"> <a href="handlerauthbasic.html" class="wikilink1" title="documentation:1.9:handlerauthbasic">Auth Basic</a></div>
</li>
</ul>
<p>
Note that some specific Handlers have been removed, you will not be able to use them anymore:
</p>
<ul>
<li class="level1"><div class="li"> Sympa AutoLogin</div>
</li>
<li class="level1"><div class="li"> UpdateCookie</div>
</li>
<li class="level1"><div class="li"> Internal Proxy</div>
</li>
</ul>
</div>
<!-- EDIT11 SECTION "Specific Handler" [4004-4473] -->
<h2 class="sectionedit12" id="saml_conditions_checking">SAML conditions checking</h2>
<div class="level2">
<p>
<div class="badge">Since 1.9.6</div>
</p>
<p>
The option to disable conditions checking in <abbr title="Security Assertion Markup Language">SAML</abbr> response has been split into:
</p>
<ul>
<li class="level1"><div class="li"> Time conditions checking</div>
</li>
<li class="level1"><div class="li"> Audience conditions checking</div>
</li>
</ul>
<p>
By default, conditions are checked. Set them both to Off if you need to deactivate conditions checking.
</p>
</div>
<!-- EDIT12 SECTION "SAML conditions checking" [4474-] --></div>
</body>
</html>
|
