On some LDAP servers, the `uid` attribute is more like a guid, while the
username exists instead in a dedicated field, like `username`. This
means the `uid` is not necessarily equal to `username`.
This is allows referencing using the `uid` to search for groups in the same
way as `dn` so that one can explicitly match the `memberuid` to the `uid` for
the user without the assumptions that come with using `{0}`.
With previous configuration format rules were not ordered between groups and
thus not predictable. Also in some cases `any` must have been a higher
precedence than `groups`. Flattening the rules let the user apply whatever
policy he can think of.
When several rules match the (subject, domain, resource), the first one is
applied.
NOTE: This commit changed the format for declaring ACLs. Be sure to update
your configuration file before upgrading.
The possible values for ACL policies are now: bypass, one_factor, two_factor,
deny.
This change also deprecate auth_methods because the method is now associated
directly to a resource in the ACLs instead of a domain.
In order to redirect the user after authentication, Authelia uses
rd query parameter provided by the proxy. However an attacker could
use phishing to make the user be redirected to a bad domain. In order
to avoid the user to be redirected to a bad location, Authelia now
verifies the redirection URL is under the protected domain.
Use the polyfill version of u2f API provided by Google.
https://github.com/mastahyeti/u2f-api
This polyfill is at least compatible with Chrome and
Firefox after enabling the U2F support.
[HOWTO] Enable U2F in Firefox >= 57:
Navigate to 'about:config' and search for 'u2f' option.
Double-click on the line to toggle the option.
In order to simplify the deployment of Authelia for
testing, LDAP is now optional made optional thanks
to users database stored in a file. One can update
the file manually even while Authelia is running.
With this feature the minimal configuration requires
only two components: Authelia and nginx.
The users database is obviously made for development
environments only as it prevents Authelia to be scaled
to more than one instance.
Note: Configuration has been updated. Key `ldap` has
been nested in `authentication_backend`.
This commit should fix#225.
In order to avoid stalling LDAP connections, Authelia creates new
sessions for each set of queries bound to one authentication, i.e.,
one session for authentication, emails retrieval and groups
retrieval.
Before this commit, a failing query was preventing the session to
be closed (unbind was not called). Now, unbind is always called
whatever the outcome of the query.
I took the opportunity of this commit to refactor LDAP client in
order to prepare the work on users database stored in a file.
(#233)
Before this patch, when Authelia started, if Mongo was not
up and running, Authelia failed to connect and never retried.
Now, everytime Authelia faces a broken connection, it tries
to reconnect during the next operation.
Currently notifications reflow the document which causes the interface
to jump twice which can be frustrating if you're trying to click
something.
This change makes the notification appear at the top of the form as
such:
Traefik handles auth forwarding but does not manage redirections like Nginx.
Therefore, Authelia must redirect the user and Traefik will forward this
request.
To support both Nginx and Traefik, /api/verify is now configurable with the
'redirect' get parameter. If the verification fails and 'redirect' is not
provided the response will be a 401 error as before.
If the parameter is provided and set to any URL, the response will be a
redirection (302) to this URL.
A link to U2F explains what is a U2F security key and how they are used.
A tooltip on U2F device registration link is telling the user he needs a
security key to register.
The u2f-api package does not use the official u2f script provided by Yubikey.
Unfortunately, it was blocked by Firefox. This change reintroduces the
official u2f script.