LinOTP 3.4 and SelfService 1.3.1
netgo software GmbH is pleased to announce the availability of the following product release:
On November 14th we released LinOTP 3.4 and SelfService 1.3.1 to the Debian repositories.
LinOTP 3.4
LinOTP 3.4 brings breaking changes, features and fixes. The following list contains the most important changes. Please also refer to the complete changelog at the end of this newsletter.
Highlights:
- improved `linotp backup create` CLI
- improved audit log entries
- reporting api change: If the `realms` parameter is omitted, the realm `/:no realm:/` is now also evaluated
LinOTP SelfService 1.3.1
SelfService 1.3.1 brings bugfixes. The following list contains the most important changes. Please also refer to the complete changelog at the end of this newsletter.
Fixes:
- verify warning is removed when a token is enrolled with successful verification
- users can login with, test and verify forwarding tokens targeting any common token
Download
LinOTP 3.4 and SelfService 1.3.1 are available as Debian packages from www.linotp.org.
Users of the LinOTP Smart Virtual Appliance will receive the release via the integrated auto-update mechanism.
We are happy to assist our support customers in upgrading their environment to the latest release. Please contact us at support@linotp.de
The LinOTP team
--
netgo software GmbH
https://www.linotp.de
Strong MFA solution by netgo
Branch office Darmstadt, Pallaswiesenstr. 174a, 64293 Darmstadt
Main office, Sachsendamm 63-64, 10829 Berlin
Registerd Office: Amtsgericht Berlin-Charlottenburg, HRB 243718 B
Board of Directors: Matthias Nietz, Constantin Wehmschulte
Germany
Sales Hotline: +49 6151 86086-277, Fax: -299
Email: sales@linotp.de
Changelog LinOTP 3.4
Breaking Changes:
- For the container, the `client=` HTTP POST parameter is deprecated and disabled by default. It will be removed in an upcoming version of LinOTP. It can be re-enabled if the `GET_CLIENT_ADDRESS_FROM_POST_DATA` config is set to a true value (the default is "false", for security reasons). Only if re-enabled, the "Authorization:" config on the "System config" dialog in the web-based management UI is available again and `client=` parameters are looked at.
- default of `BACKUP_DIR` is now /var/backups/linotp for the Debian package
- the CLI `linotp backup create` uses `BACKUP_DIR` to save backups instead of the current working directory
- breaking changes to the `linotp audit cleanup` CLI:
- option `--no-export` is removed
- option `--export` is added to trigger the export
- export is disabled by default. Use `linotp audit cleanup --export` to trigger it. This restores LinOTP 2.x behavior
- options `--min` and `--max` are removed. They are replaced by `--max-entries-to-keep` and `--cleanup-threshold`:
- `--max-entries-to-keep` (default: 5000) specifies the number of entries to be retained in the audit database.
- `--cleanup-threshold`: (optional) cleanup is only initiated if the number of entries exceeds this threshold. Must be greater than --max-entries-to-keep. No threshold is active by default, i.e. technically speaking, this parameter is equal to `--max-entries-to-keep` by default.
Features:
- TRUSTED_PROXIES config variable is added to configure LinOTPs proxy trust. This config will override (i.e. disable) the trusted forwarding proxy configuration in the manage ui -> system configuration.
- add option `--delete-after-days` to `linotp audit cleanup`: Delete entries older than the given number of days (starting from the beginning of the day). Can't be used alongside `--max-entries-to-keep` or `--cleanup-threshold`!
- improved debug log output for TOTP resync routine
- improved (mostly by reducing) debug log output during server start and request context.
- reporting api change: If the `realms` parameter is omitted, the realm `/:no realm:/` is now also evaluated.
Fixes:
- when rolling out a forwarding token via /manage, the serial of the target token is included in the description
- faulty JWTs don't cause a `500 Internal Server Error` anymore and the error gets logged properly
- login and logout endpoint for admin authentication was mixed into all /api/v2 controllers which made it possible to use e.g. /api/v2/realms/login. Please use only /admin/{login/logout}
- faulty policies (e.g. `totp_hashlib=sha256`) now return and log a meaningful error message
- audit log entries for `/admin/login` and `admin/logout` now state `success`, `user`, `realm` and `administrator` correctly
- audit log entries for userservice API requests state the correct `success` value
- the last provider (of any kind) can now be deleted
- non-default providers can be now be deleted as expected if and only if they are not part of an authentication policy
- audit log entries for `/userservice/logout` now state `user` and `realm` correctly
- Restored the `period` return attribute in the /reporting/period API endpoint to resolve missing data issue.
Changelog LinOTP SelfService 1.3.1
Breaking Changes:
- verify warning is removed when a token is enrolled with successful verification
- users can login with, test and verify forwarding tokens targeting any common token