fusiondirectory issueshttps://gitlab.fusiondirectory.org/fusiondirectory/fd/-/issues2024-03-28T10:51:25Zhttps://gitlab.fusiondirectory.org/fusiondirectory/fd/-/issues/6319Add a check / warning when adding ssha512 password method that overlay pw-sha...2024-03-28T10:51:25ZJonathan SwaelensAdd a check / warning when adding ssha512 password method that overlay pw-sha2 must be usedAdd a check / warning when adding ssha512 password method that overlay pw-sha2 must be usedAdd a check / warning when adding ssha512 password method that overlay pw-sha2 must be useddockx thibaultdockx thibaulthttps://gitlab.fusiondirectory.org/fusiondirectory/fd/-/issues/6318The "default policy" is not applied2024-03-24T18:04:51ZJonathan SwaelensThe "default policy" is not appliedHello @tdockx
- Install ppolicy plugin and overlay
- Add a default policy
```
dn: cn=default,ou=ppolicies,dc=example,dc=com
objectClass: device
objectClass: pwdPolicy
objectClass: pwdPolicyChecker
pwdAttribute: userPassword
cn: defaul...Hello @tdockx
- Install ppolicy plugin and overlay
- Add a default policy
```
dn: cn=default,ou=ppolicies,dc=example,dc=com
objectClass: device
objectClass: pwdPolicy
objectClass: pwdPolicyChecker
pwdAttribute: userPassword
cn: default
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE
pwdCheckQuality: 0
pwdLockout: TRUE
pwdInHistory: 2
pwdMustChange: FALSE
```
- Add a user to the ACL editownpassword
- Connect with this user and change your password
- It will not trigger the history error or same password error if you don't assign the policy to the user explicitly
Cheers
![image](/uploads/d10b3a6cebc9b0362ba274c167e70f2c/image.png)
![image](/uploads/d2250270307e95b9ade38548d21d281c/image.png)
![image](/uploads/06a0f87a0439c115d5a3e3560b545f28/image.png)dockx thibaultdockx thibaulthttps://gitlab.fusiondirectory.org/fusiondirectory/fd/-/issues/6308Having a way to create ordered away with a column as reference2024-02-06T14:34:00ZJonathan SwaelensHaving a way to create ordered away with a column as referenceHello @tdockx
When we add elements, it would be nice to have a way to specify which column must be seen as reference in so that we cannot have multiple entries.
It would be nice to have a concept of one unique key instead of one key w...Hello @tdockx
When we add elements, it would be nice to have a way to specify which column must be seen as reference in so that we cannot have multiple entries.
It would be nice to have a concept of one unique key instead of one key with multiple status. With the latest one overwritting the old one).dockx thibaultdockx thibaulthttps://gitlab.fusiondirectory.org/fusiondirectory/fd/-/issues/6297[CAS] - Issues with discovered SLO (SSO) not implemented. Making a new SSO au...2024-03-05T18:03:13Zdockx thibault[CAS] - Issues with discovered SLO (SSO) not implemented. Making a new SSO auth validated not used and last login (session) being used.[CAS] – Issues with discovered SLO (SSO) not implemented. Making a new SSO auth validated not used and last login (session) being used.
Please follow the below link to some information.
- https://apereo.github.io/cas/6.5.x/installatio...[CAS] – Issues with discovered SLO (SSO) not implemented. Making a new SSO auth validated not used and last login (session) being used.
Please follow the below link to some information.
- https://apereo.github.io/cas/6.5.x/installation/Logout-Single-Signout.html
- https://gitlab.fusiondirectory.org/fusiondirectory/fd/-/issues/6088
The current CAS (v1.6 not verified) - does not properly logout / remove (adapt) user sessions.FusionDirectory 1.5dockx thibaultdockx thibaulthttps://gitlab.fusiondirectory.org/fusiondirectory/fd/-/issues/6295We cannot create template for department types object2023-10-03T12:38:32ZJonathan SwaelensWe cannot create template for department types objectHello @tdockx
We cannot create or use templates in the department category. There is no template mention in the dropdown action or filter.
CheersHello @tdockx
We cannot create or use templates in the department category. There is no template mention in the dropdown action or filter.
Cheersdockx thibaultdockx thibaulthttps://gitlab.fusiondirectory.org/fusiondirectory/fd/-/issues/6290Add the possibility to assign ACL to dynamic groups2023-10-03T12:36:39ZJonathan SwaelensAdd the possibility to assign ACL to dynamic groupsHello,
It would be interesting to have the possibility to define FusionDirectory ACL for a dynamic group.
CheersHello,
It would be interesting to have the possibility to define FusionDirectory ACL for a dynamic group.
CheersFusionDirectory 1.5dockx thibaultdockx thibaulthttps://gitlab.fusiondirectory.org/fusiondirectory/fd/-/issues/6289[Core] - LDAP search methods are triggered when user is created reporting an ...2023-10-03T12:35:32Zdockx thibault[Core] - LDAP search methods are triggered when user is created reporting an error within logs### Description
[Core] - LDAP search methods are triggered when user is created reporting an error within logs
### Distribution Name and Version
Debian 11
### FusionDirectory Version
Repo
### PHP version used
7.4
### Origin of ph...### Description
[Core] - LDAP search methods are triggered when user is created reporting an error within logs
### Distribution Name and Version
Debian 11
### FusionDirectory Version
Repo
### PHP version used
7.4
### Origin of php packages
Repo
### Steps to Reproduce
Simply create a new user and inspect syslog
**Expected behavior:**
No error
**Actual behavior:**
**Jul 3 06:30:31 debian11-fd-vm slapd[2691]: conn=1049 op=2 do_search: invalid dn: "new"**
Jul 3 06:30:31 debian11-fd-vm php: FusionDirectory [fd-admin]: (create) uid=thibault,ou=people,dc=nodomain of type plugin/user objectClass,cn,sn,givenName,uid,userPassword: Success
Jul 3 06:30:31 debian11-fd-vm php: FusionDirectory [fd-admin]: (create) uid=thibault,ou=people,dc=nodomain of type plugin/userRoles objectClass: Success
**Reproduces how often:**
100%
### Additional Information
Does not occur on groups / departments or others save such as tasks.
Seems focused on Users creation.FusionDirectory 1.4.1dockx thibaultdockx thibaulthttps://gitlab.fusiondirectory.org/fusiondirectory/fd/-/issues/6288Make password mandatory based on hash method2023-10-03T12:39:12ZJonathan SwaelensMake password mandatory based on hash methodHello @tdockx
The password is not mandatory by default, it can be seen if we make a template and set the hash method to ssha for example.
There is no `*`. It would be better if we can set it as mandatory based on the hash method.
Righ...Hello @tdockx
The password is not mandatory by default, it can be seen if we make a template and set the hash method to ssha for example.
There is no `*`. It would be better if we can set it as mandatory based on the hash method.
Right now the workaround is to use an `%askme%` macro.
What do you think @bmortier ?FusionDirectory 1.4.1dockx thibaultdockx thibaulthttps://gitlab.fusiondirectory.org/fusiondirectory/fd/-/issues/6287Change version to 1.4-fixes2023-10-03T12:37:39ZbmortierChange version to 1.4-fixesHello,
we need to change the version to 1.4-fixes
CheersHello,
we need to change the version to 1.4-fixes
CheersFusionDirectory 1.4.1bmortierbmortierhttps://gitlab.fusiondirectory.org/fusiondirectory/fd/-/issues/6285[Core] - Logic behind account lock must be revised2023-10-03T12:37:59Zdockx thibault[Core] - Logic behind account lock must be revised[Core] - Logic behind account lock must be revised
When putting an account to a deactivate state, by default it deactivates the attribute userPassword by modifying the hash.
This is spread and updated among multiple LDAPs putting other...[Core] - Logic behind account lock must be revised
When putting an account to a deactivate state, by default it deactivates the attribute userPassword by modifying the hash.
This is spread and updated among multiple LDAPs putting other services such as email into a "non-usable" state.
Other services could be impacted as well. In case the account must be deactivated, emails can / might still be available if required.
The full logic behind the locking / deactivation mechanism must be revisited.FusionDirectory 1.5dockx thibaultdockx thibaulthttps://gitlab.fusiondirectory.org/fusiondirectory/fd/-/issues/6242[PHP_FATAL_ERROR] - Management of error display in case of PHP_FATAL_ERROR - ...2023-02-02T11:37:06Zbmortier[PHP_FATAL_ERROR] - Management of error display in case of PHP_FATAL_ERROR - Automated CI and tests verification may produce that type of error.### Requirements
In case a PHP_ERROR_FATAL would be triggered, it would be important to have a clear message if DEBUG is on within FD.
## Descriptive title for this enhancement
<!-- required -->
### Actual behavior
As example, durin...### Requirements
In case a PHP_ERROR_FATAL would be triggered, it would be important to have a clear message if DEBUG is on within FD.
## Descriptive title for this enhancement
<!-- required -->
### Actual behavior
As example, during the automated testing triggered by a merge request or packaging deployment, PHP_ERROR_FATAL may occur and result in a total failure of running tests. Without knowing the real reasons of the error, it is hard to debug properly.
### Expected behavior
A proper error message with the root cause of the problem is mandatory.
### Step by step description of new behavior
In order to reproduce a PHP_FATAL_ERROR, first the variables within variables.inc in /include must be ON. (Is Always ON during tests executions with CI).
For example, if a path to an ICON image cannot be found, a PHP_ERROR_FATAL will be thrown. Resulting in the deletion of the PHP session.
The error message should be triggered before the deletion of the session and the automated reload page (message would disapear).
### Benefits
Debugging time will be shorter as error message is reporting line and proper error message.
### Possible Drawbacks
None
### Applicable Issues
<!-- optional -->
<!-- Enter any applicable Issues here -->FusionDirectory 1.5bmortierbmortierhttps://gitlab.fusiondirectory.org/fusiondirectory/fd/-/issues/6232Password recovery allows spurious additional emails2023-04-25T13:16:53ZbmortierPassword recovery allows spurious additional emails### Description
The password reset/recovery functions allow spurious, additional email addresses to be used beyond the email address or personal address for the outbound recovery email.
It is unclear where exactly this is occurring, bu...### Description
The password reset/recovery functions allow spurious, additional email addresses to be used beyond the email address or personal address for the outbound recovery email.
It is unclear where exactly this is occurring, but the behavior is obviously insecure and undesirable.
### Distribution Name and Version
Debian 10.13
### FusionDirectory Version
FusionDirectory 1.3.1
### PHP version used
PHP 7.3
### Origin of php packages
Debian distribution packages
### Steps to Reproduce
1. Bad actor inputs spurious additional input beyond a known-good email address on the recovery.php page
2. Password reset email is sent to the known-good email address as well as the bad actor
**Expected behavior:**
Input should be rejected or only the known-good matching email address should be used.
**Actual behavior:**
An email is sent to two locations - both directly to the user (as expected) and to the bad actor. This is send as a single email with two recipients.
**Reproduces how often:**
It is unclear how reproduceable this issue is. Inserting a basic comma does not pass the filtering requirement on the recovery form. However, we can confirm (from email logs and from the user themselves) that a recovery email was generated with two recipients.
### Additional Information
The URL generated might be helpful for tracking this down:
https://[Our FD installation]/recovery.php?uniq=[uniqueString]&login=[user]&email_address=[user]%40[our site]%00%2Ccirah11891%40botsoko.com
The "cirah11891%40botsoko.com" is the bad actor's email address (so I have no issues sharing it), although it's unclear how this a) passed validation checks or b) generated the 2nd recipient on the email.
After this incident, I have added some additional code to strip out any comma-separated email addresses and only use the first value (this is within the step2() function in class_passwordRecovery.inc), but even without that additional code, I was unable to replicate the issue directly.
My speculation is that something about the user-submitted string causes it to be ignored by the ldap filter, but the definition of $this->email_address = $_POST['email_address']; (line 314 in FD version 1.3.1) is never sanitized, allowing additional email address(es) to leak in to the process.FusionDirectory 1.5bmortierbmortierhttps://gitlab.fusiondirectory.org/fusiondirectory/fd/-/issues/6194Make an unicity backend in FusionDirectory configuration2023-06-25T21:02:07ZbmortierMake an unicity backend in FusionDirectory configuration## Descriptive title for this enhancement
Currently, all the unicity logic is in the code. It will be nice to be able to change it per attribute in the FusionDirectory configuration.
### Actual behavior
Only in the code
### Expected ...## Descriptive title for this enhancement
Currently, all the unicity logic is in the code. It will be nice to be able to change it per attribute in the FusionDirectory configuration.
### Actual behavior
Only in the code
### Expected behavior
Possibility to change and adapt from UI
### Step by step description of new behaviour
1. Go to configuration
2. Use default or customize the unicity settings
3. Save
### Benefits
Having everything in LDAP and an easy way to change them
### Possible Drawbacks
It will need a change on any part that concern the unicity (core, plugins).
It must be taken into account that someone can break the configuration. It will need a way to reset with default settings too.
### Applicable Issues
NoneFusionDirectory 1.5bmortierbmortierhttps://gitlab.fusiondirectory.org/fusiondirectory/fd/-/issues/6175Compatibility with PHP 8.12022-10-17T13:32:08ZbmortierCompatibility with PHP 8.1The main change we need to do is to avoid using is_resource function to check for success, because most resources are replaced by objects, and in 8.1 this will be the case for ldap links and results.The main change we need to do is to avoid using is_resource function to check for success, because most resources are replaced by objects, and in 8.1 this will be the case for ldap links and results.FusionDirectory 1.5bmortierbmortierhttps://gitlab.fusiondirectory.org/fusiondirectory/fd/-/issues/6091Object deletion should not delete each tab separately2022-02-21T21:17:34ZbmortierObject deletion should not delete each tab separatelyAn object deletion should result in only one LDAP deletion, not removal of each tab and then deletion on the node like currently.
This may make some trigger configuration harder, but it will be a lot better performance wise and avoid we...An object deletion should result in only one LDAP deletion, not removal of each tab and then deletion on the node like currently.
This may make some trigger configuration harder, but it will be a lot better performance wise and avoid weird LDAP errors.
Can be built on top of #5747FusionDirectory 1.5bmortierbmortierhttps://gitlab.fusiondirectory.org/fusiondirectory/fd/-/issues/6063Partial entry created when error occurs in a tab2022-09-30T18:41:40ZbmortierPartial entry created when error occurs in a tab### Description
I created an entry and enabled the mail tab in the creation screen. My LDAP directory is configured with unique overlay on mail attribute. If the mail of the created entry is not unique, I got an error, but the entry is ...### Description
I created an entry and enabled the mail tab in the creation screen. My LDAP directory is configured with unique overlay on mail attribute. If the mail of the created entry is not unique, I got an error, but the entry is created without the mail tab.
### Distribution Name and Version
Debian stable
### FusionDirectory Version
1.4-2~jenkinsbuild570
### Steps to Reproduce
1. Create a new entry, enter required information
2. Enable mail tab, set a mail address which already exists
3. Enter OK
**Expected behavior:**
Error message because LDAP Directory has reject the mail attribute, and no entry created at all.
**Actual behavior:**
Error message because LDAP Directory has reject the mail attribute, but entry is created without the mail attribute.
**Reproduces how often:**
100%
### Additional Information
Configuration of OpenLDAP unique overlay:
```
dn: olcOverlay={2}unique,olcDatabase={1}mdb,cn=config
objectClass: olcUniqueConfig
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
olcOverlay: {2}unique
olcUniqueURI: ldap:///?mail?sub
```FusionDirectory 1.5bmortierbmortierhttps://gitlab.fusiondirectory.org/fusiondirectory/fd/-/issues/6022use reuse from fsfe for licence compliance2022-02-21T21:36:38Zbmortieruse reuse from fsfe for licence compliance## Descriptive title for this enhancement
use reuse from fsfe for license compliance https://reuse.software/
### Actual behavior
license compliance is done manually who is tedious and error prone
### Expected behavior
be able to ch...## Descriptive title for this enhancement
use reuse from fsfe for license compliance https://reuse.software/
### Actual behavior
license compliance is done manually who is tedious and error prone
### Expected behavior
be able to check compliance with reuse tool and integrate into the gitlab ci
### Step by step description of new behaviour
<!-- Required -->
1. follow https://reuse.software/faq/
### Benefits
* no more management by hand
* discover license non compliance automatically
### Possible Drawbacks
conversion time
### Applicable Issues
licenseFusionDirectory 1.5bmortierbmortierhttps://gitlab.fusiondirectory.org/fusiondirectory/fd/-/issues/5530It would be useful for plugins to be able to declare triggers2022-09-30T18:43:26ZbmortierIt would be useful for plugins to be able to declare triggersA plugin should be able to ask to be called in any standard triggers event (pre-modify on users for instance).A plugin should be able to ask to be called in any standard triggers event (pre-modify on users for instance).FusionDirectory 1.5bmortierbmortier