CVE-2019-12046: lemonldap-ng tokens allows anonymous session when stored in session DB

Debian Bug report logs - #928944
CVE-2019-12046: lemonldap-ng tokens allows anonymous session when stored in session DB

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Xavier <yadd@debian.org>

To: submit@bugs.debian.org

Cc: Salvatore Bonaccorso <carnil@debian.org>

Subject: CVE-2019-12046: lemonldap-ng tokens allows anonymous session when stored in session DB

Date: Mon, 13 May 2019 21:05:51 +0200

[Message part 1 (text/plain, inline)]

Package: liblemonldap-ng-portal-perl
Severity: grave
Tags: security upstream patch
Justification: user security hole
Forwarded: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1742
Found: 1.9.7-3

Hi all,

during an internal audit, one of lemonldap-ngi's developers discovered an
attack vector. It opens 3 security issues:
 - [high] for 2.0.0 ≤ version < 2.0.4: when CSRF tokens are
   enabled (default) and tokens are stored in session DB (not default,
   used with poor load-balancers), the token can be used to open an
   anonymous short-life session (2mn). It allows one to access to all
   aplications without additional rules
 - [high] for every versions < 2.0.4 or 1.9.19 when SAML/OIDC tokens are
   stored in sessions DB (not default), tokens can be used to have an
   anonymous session
 - [low] for every versions < 2.0.4 or 1.9.19: when self-registration
   is allowed, mail token can be used to have an anonymous session.

Attachements:
 - lemonldap-ng_2.0.2+ds-6.debdiff: fix for stretch
 - lemonldap-ng_2.0.2+ds-7.patch: patch for Buster. It includes 3 new
   upstream tests to prove that vulnerabilities are fixed
 - llng-1742-test.sh: a small tool that can be used to test an existing
   2.0.x installation

This issue also affects Ubuntu-19.04 which includes lemonldap-ng_2.0.2+ds-6.

Cheers,
Xavier

[lemonldap-ng_2.0.2+ds-7.patch (text/x-patch, attachment)]

[llng-1742-test.sh (application/x-shellscript, attachment)]

[lemonldap-ng_1.9.7-3+deb9u1.debdiff (text/plain, attachment)]

Message #10 received at 928944-submitter@bugs.debian.org (full text, mbox, reply):

From: Xavier Guimard <noreply@salsa.debian.org>

To: 928944-submitter@bugs.debian.org

Subject: Bug#928944 marked as pending in lemonldap-ng

Date: Mon, 13 May 2019 20:04:08 +0000

Control: tag -1 pending

Hello,

Bug #928944 in lemonldap-ng reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/perl-team/modules/packages/lemonldap-ng/commit/fdf782dfb5acc4f6ee1cc465f17a9b7dc053cc92

------------------------------------------------------------------------
Add BTS reference

Closes: #928944
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/928944

Message #17 received at 928944-close@bugs.debian.org (full text, mbox, reply):

From: Xavier Guimard <yadd@debian.org>

To: 928944-close@bugs.debian.org

Subject: Bug#928944: fixed in lemonldap-ng 2.0.2+ds-7+deb10u1

Date: Mon, 13 May 2019 20:35:33 +0000

Source: lemonldap-ng
Source-Version: 2.0.2+ds-7+deb10u1

We believe that the bug you reported is fixed in the latest version of
lemonldap-ng, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 928944@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Xavier Guimard <yadd@debian.org> (supplier of updated lemonldap-ng package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 13 May 2019 21:22:34 +0200
Source: lemonldap-ng
Architecture: source
Version: 2.0.2+ds-7+deb10u1
Distribution: unstable
Urgency: high
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Xavier Guimard <yadd@debian.org>
Closes: 928944
Changes:
 lemonldap-ng (2.0.2+ds-7+deb10u1) unstable; urgency=high
 .
   * Fix tokens security (Closes: #928944, CVE-2019-12046)
Checksums-Sha1: 
 ad84637e80b6235095fe9bcc62f221386612f179 3878 lemonldap-ng_2.0.2+ds-7+deb10u1.dsc
 2534be7e446006eaf798f85f7d5d09e846b02ee6 54880 lemonldap-ng_2.0.2+ds-7+deb10u1.debian.tar.xz
Checksums-Sha256: 
 061ac90c62f794caa1219f064c7671367a057fb80d201481c77d7347ee157ccb 3878 lemonldap-ng_2.0.2+ds-7+deb10u1.dsc
 5b15a7eb01303b3794f95f0918c390b2562b7f66338421a9f65d42d6189dc321 54880 lemonldap-ng_2.0.2+ds-7+deb10u1.debian.tar.xz
Files: 
 33549e0d27e2ab6a18c78238d1575d4e 3878 perl optional lemonldap-ng_2.0.2+ds-7+deb10u1.dsc
 089717bcca77f55930651da35fe68211 54880 perl optional lemonldap-ng_2.0.2+ds-7+deb10u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAlzZy0gACgkQ9tdMp8mZ
7ukJkA/+MBaTdj94iyMipSvJR4uIX/FfREGsn1vi1eE6rXFq0odTfnNoYogZH3J1
9wdK8tbwpDvp6OX2ju7lA14a4NNKk0CxbwJEspWxzO/rivrJzYUgz9OMHivcevLJ
xdMSNucdLfpZVnt6YIHsR+LJcSYWoaRYvZIWTu4/mw1zyJgN40T6cTh8cut0QGds
kfqJOZ+Be2DR4Xdl6KH0nDnoeCTdZrsKaCte1HgDVT3roqCl2AWcveVa9L84ySwp
XXsGXJ8YQ20ZCLngS3tDowW9VXfScIeMk7c/MV7rhk1UQSDQeGD53zLFIxE1dI2p
FYf8pxh0DrY9jQudBH9bVNo0ELZLbl7p/2K/5rncHdrG/pbn48m/I8kd3dXVBN0G
iG+uBG10gNUPVyPccmv7L080Om25kVMj1fAaeN2JjuYJj32Ij6RWmcVvyupOMBGW
TSypSWbDsyqMUxZeA1BD6vHZvBntns73C4gM8kTYJxhtnozUSHQO3X1SZ+JT+K9m
pH196agz0F9RVoEKAgLAnQYKdnRlHBAapggJZa7dFzx7gNlJ4h0fLD23QyEz4Dki
9ECAPkIg1G/5id2UqBUkJY4sKhox0fqEE3gS2nuFoxogNUItKcZP2/DQt4d/58tA
DdUdGcMbHRdXUNvkryC5dVxzQtk7pmbsaMEt6hF5Ic6honVbq2o=
=iA9V
-----END PGP SIGNATURE-----

Message #26 received at 928944-close@bugs.debian.org (full text, mbox, reply):

From: Xavier Guimard <yadd@debian.org>

To: 928944-close@bugs.debian.org

Subject: Bug#928944: fixed in lemonldap-ng 1.9.7-3+deb9u1

Date: Fri, 17 May 2019 19:32:09 +0000

Source: lemonldap-ng
Source-Version: 1.9.7-3+deb9u1

We believe that the bug you reported is fixed in the latest version of
lemonldap-ng, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 928944@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Xavier Guimard <yadd@debian.org> (supplier of updated lemonldap-ng package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 13 May 2019 18:51:54 +0200
Source: lemonldap-ng
Binary: lemonldap-ng lemonldap-ng-doc lemonldap-ng-fr-doc lemonldap-ng-fastcgi-server lemonldap-ng-handler liblemonldap-ng-handler-perl liblemonldap-ng-conf-perl liblemonldap-ng-common-perl liblemonldap-ng-manager-perl liblemonldap-ng-portal-perl
Architecture: source all
Version: 1.9.7-3+deb9u1
Distribution: stretch-security
Urgency: medium
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Xavier Guimard <yadd@debian.org>
Description:
 lemonldap-ng - OpenID-Connect, CAS and SAML compatible Web-SSO system
 lemonldap-ng-doc - Lemonldap::NG Web-SSO system documentation
 lemonldap-ng-fastcgi-server - Lemonldap::NG FastCGI server
 lemonldap-ng-fr-doc - French documentation of Lemonldap::NG Web-SSO system
 lemonldap-ng-handler - Lemonldap::NG handler part
 liblemonldap-ng-common-perl - Lemonldap::NG common files
 liblemonldap-ng-conf-perl - transitional dummy package
 liblemonldap-ng-handler-perl - Lemonldap::NG handler common libraries
 liblemonldap-ng-manager-perl - Lemonldap::NG manager part
 liblemonldap-ng-portal-perl - Lemonldap::NG authentication portal part
Closes: 928944
Changes:
 lemonldap-ng (1.9.7-3+deb9u1) stretch-security; urgency=medium
 .
   * Add patch to fix token security (Closes: #928944, CVE-2019-12046)
Checksums-Sha1:
 48ac4f550408ce15ad1903866b0684ef217292f4 3632 lemonldap-ng_1.9.7-3+deb9u1.dsc
 54ccde89e4bdf76ed5605b16abee4a6e5c4b6368 17288955 lemonldap-ng_1.9.7.orig.tar.gz
 ddd5a6cc413f72fa7c49177f904c7d672d9ae0ed 38788 lemonldap-ng_1.9.7-3+deb9u1.debian.tar.xz
 24eff67d0a266cd9f3d8b07706d01b83bff5ec4d 4613328 lemonldap-ng-doc_1.9.7-3+deb9u1_all.deb
 136c13fad907a043c9059a48a990b31143379c1f 53462 lemonldap-ng-fastcgi-server_1.9.7-3+deb9u1_all.deb
 ef5be6d2711708bc441a02cf90a56177b33f6ad6 194680 lemonldap-ng-fr-doc_1.9.7-3+deb9u1_all.deb
 21ddd6df5c0837da1ea8f17125795ae8712ed002 49670 lemonldap-ng-handler_1.9.7-3+deb9u1_all.deb
 db1c89e66e1205aff7b53c55a42eb3a7ceb8da68 46196 lemonldap-ng_1.9.7-3+deb9u1_all.deb
 3be960ba22de18ab086618a18118b0f5b9b9ec2d 13740 lemonldap-ng_1.9.7-3+deb9u1_amd64.buildinfo
 d71958c5b3ee7a58bcebb1523e8cd352632e37dd 145630 liblemonldap-ng-common-perl_1.9.7-3+deb9u1_all.deb
 0c784880ff5e9aaab4780dd8e5ced1539fdebaa3 44508 liblemonldap-ng-conf-perl_1.9.7-3+deb9u1_all.deb
 9b2b6170f3132816645b296a7a13b02af1dfc083 109224 liblemonldap-ng-handler-perl_1.9.7-3+deb9u1_all.deb
 b61336e28d2be7593d1b274064ba4cb02b88a359 279880 liblemonldap-ng-manager-perl_1.9.7-3+deb9u1_all.deb
 e9c35721719ae13d9e6f8b47b80fd7b742dd68f4 3101176 liblemonldap-ng-portal-perl_1.9.7-3+deb9u1_all.deb
Checksums-Sha256:
 aa1a0555cc293b0d2824dd6b048bad652f648e15db0764ad0e456d94012d65b5 3632 lemonldap-ng_1.9.7-3+deb9u1.dsc
 c5fa5c46f46e71535b4850bc4eb7e6b877457b022988dadffa36fff75a8c77b1 17288955 lemonldap-ng_1.9.7.orig.tar.gz
 b40082ce28b332e217c1d7d7ef7e8afbb875ba569fc738e9ea603cba41d392b7 38788 lemonldap-ng_1.9.7-3+deb9u1.debian.tar.xz
 563f107ddff8ce55d1220ffb476aec651a1fb7e4d7e9611443b70e7a118837ad 4613328 lemonldap-ng-doc_1.9.7-3+deb9u1_all.deb
 fb9511389553dc3f506608df788ff92cc5d9c71f657594dcb21b2562b50b2f1a 53462 lemonldap-ng-fastcgi-server_1.9.7-3+deb9u1_all.deb
 f8916faa4f369e9f482628b7ddb82605cae9b523536f822ca2122d2ba12a43b1 194680 lemonldap-ng-fr-doc_1.9.7-3+deb9u1_all.deb
 944927de7fe549c77f9074faaaaa1536d75e4357574451f9e69436a973dfe6a3 49670 lemonldap-ng-handler_1.9.7-3+deb9u1_all.deb
 67d9afc417620e8881ecd7042c19a4a62f8db956b6cd78cb7dd3080c95226095 46196 lemonldap-ng_1.9.7-3+deb9u1_all.deb
 0ab3915b53ae34605b08b94fc44525dea581c87b3e6524b5e43d798761216894 13740 lemonldap-ng_1.9.7-3+deb9u1_amd64.buildinfo
 30964b752d07045c9d999dd457ac5d20762e7da88d68b147711668e393af456f 145630 liblemonldap-ng-common-perl_1.9.7-3+deb9u1_all.deb
 18f241a922946a6b3c091a9052bc20eb14245a3163938063acfdfbe1808bb685 44508 liblemonldap-ng-conf-perl_1.9.7-3+deb9u1_all.deb
 8331b419ad124e8c009728bb645056829ba64dd9742085afbe55320d2d77db71 109224 liblemonldap-ng-handler-perl_1.9.7-3+deb9u1_all.deb
 a779080c88312889d48b5eca443a993d3fe2700e70eb32e27328b88c55654a7d 279880 liblemonldap-ng-manager-perl_1.9.7-3+deb9u1_all.deb
 46596524718c468358be52e1b89ed289ba7fc1510fe337c82136d058b2b78c98 3101176 liblemonldap-ng-portal-perl_1.9.7-3+deb9u1_all.deb
Files:
 32a5ac6877db62a0dc4eadfaf00795ba 3632 perl extra lemonldap-ng_1.9.7-3+deb9u1.dsc
 fdc06136dd679a668e3227a4b811c6ec 17288955 perl extra lemonldap-ng_1.9.7.orig.tar.gz
 0084cc54eee5b1074d3ee163d3124b4c 38788 perl extra lemonldap-ng_1.9.7-3+deb9u1.debian.tar.xz
 1bf4a123405f3cd8e6f94135e7d23713 4613328 doc extra lemonldap-ng-doc_1.9.7-3+deb9u1_all.deb
 166b941ad7fba9772ce8c1178ca47585 53462 web extra lemonldap-ng-fastcgi-server_1.9.7-3+deb9u1_all.deb
 1230fcef5de6ce6f17a165c6a71a0324 194680 doc extra lemonldap-ng-fr-doc_1.9.7-3+deb9u1_all.deb
 804f68366f3b4fccfb11deada9294907 49670 perl extra lemonldap-ng-handler_1.9.7-3+deb9u1_all.deb
 a30ae284c9ca0464214ac47704b58dd9 46196 perl extra lemonldap-ng_1.9.7-3+deb9u1_all.deb
 01fc8f8f55434ce9e540f7ad570fcaf9 13740 perl extra lemonldap-ng_1.9.7-3+deb9u1_amd64.buildinfo
 93beccc4a4d749c2cfa8047ac3968d4c 145630 perl extra liblemonldap-ng-common-perl_1.9.7-3+deb9u1_all.deb
 d576e18eaf64bfd0faf6efc0159fcdce 44508 oldlibs extra liblemonldap-ng-conf-perl_1.9.7-3+deb9u1_all.deb
 f3fb876e7fac8d079fcc6ebf132dc881 109224 perl extra liblemonldap-ng-handler-perl_1.9.7-3+deb9u1_all.deb
 2e95b41405e9f7b2794adf86568b28ec 279880 perl extra liblemonldap-ng-manager-perl_1.9.7-3+deb9u1_all.deb
 8dad7765e6ab2feb3b5dd5334fda88b5 3101176 perl extra liblemonldap-ng-portal-perl_1.9.7-3+deb9u1_all.deb

-----BEGIN PGP SIGNATURE-----

iQJEBAEBCgAuFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAlzaSboQHHlhZGRAZGVi
aWFuLm9yZwAKCRD210ynyZnu6bBzEACRfGfBbL0X6fDAch62KeDxP6PqWJ0JuvF0
Jm4mUPI2bRrL6j+yfe9f50xuFspLU8OgZMoRRKI7Fa6JNK0kk2ujOsBP5ISvz6Dc
j4TMhqVJtQGJcvE6kUAAL2zI7sID3419QaJus1j5DSTGnyJ06s8YsFv26hicXBQC
qI5iPSYTktqqlKF+epYQn1AFLpiTVNSbji4F4fCLwD7JKCNVHV31g6CncT4j888M
fn29je29nJ8lUFURb6jcigi+4XdFgr73cgzRj4DoY2vZ5a1odQ5X1EH9n/Xh47TK
VnBFjv1mKDg5nkS/WGFsZ9cyW0B8QUeTWXfEIkHRRizid3wCzHBkXF3EHmYfMDPd
KJ2oeuDQrusryl3TzO5qzyoN5GKipCClOZmWxDonBPYA8NOHHoiDt5Hf7T2QGKlA
HKkzHWmc3wS64TLxOs9oWJnhQiWHDFK6akSYfQr5mKZEPj+zZfMC+ysRwra2vw1c
56zCDvouTjceaO1CC9g3M/t1wSQYNqm8/fnInNY+oXi3HI8H/3yIsvuhjJsNNalt
KjNmfggBXNroWt1Zr1QxeJ0JMDvHIr5mndCDID/JNnjpTgSKVrPGBUNJPaDDpNhR
vVOl8IoJD/A0YkiXvtrQ72dbNvuRC88Q4BDqEYfsYni/DLCIAKlK2VDx0g9wSmSt
pR2gSC9clA==
=gSBE
-----END PGP SIGNATURE-----

Message #31 received at 928944@bugs.debian.org (full text, mbox, reply):

From: "ALARY, Thomas" <T.ALARY@axione.fr>

To: "928944@bugs.debian.org" <928944@bugs.debian.org>

Date: Mon, 20 May 2019 09:16:49 +0000

[Message part 1 (text/plain, inline)]

Hello,

We have a 1.6 version.
How can I check if  SAML/OIDC tokens are   stored in sessions DB ?

Cordialement,

Thomas Alary
Administrateur de la Sécurité des SI
Service Performance Process et SI Métiers
Exploitation SI – Pôle Expertise Technique et Middleware

26 av des Lilas
64009 Pau cedex
✉thomas.alary@axione.fr<mailto:thomas.alary@axione.fr>
☎ 05.33.66.10.43
[Axione]<http://www.axione.fr/>

------
Les donnees et renseignements contenus dans ce message sont personnels, confidentiels et secrets. Toute publication, utilisation ou diffusion, meme partielle, doit etre autorisee. Si vous n'etes pas le bon destinataire, nous vous demandons de ne pas lire, copier, utiliser ou divulguer cette communication. Nous vous prions de notifier cette erreur a l'expediteur et d'effacer immediatement cette communication de votre systeme.

Any data and information contained in this electronic mail is personal, confidential and secret. Any total or partial publication, use or distribution must be authorized. If you are not the right addressee, we ask you not to read, copy, use or disclose this communication. Please notify this error to the sender and erase at once this communication from your system.

[Message part 2 (text/html, inline)]

[image001.png (image/png, inline)]

Message #36 received at 928944@bugs.debian.org (full text, mbox, reply):

From: "Xavier" <yadd@debian.org>

To: ALARY, Thomas <T.ALARY@axione.fr>, 928944@bugs.debian.org

Subject: Re: Bug#928944:

Date: Mon, 20 May 2019 11:48:43 +0200

Le Lundi, Mai 20, 2019 11:16 CEST, "ALARY, Thomas" <T.ALARY@axione.fr> a écrit:

> Hello,
>
> We have a 1.6 version.
> How can I check if  SAML/OIDC tokens are   stored in sessions DB ?

1.6 does not exist. However, in any version, take a look at samlStorageOptions to see if it is different than globalStorageOptions. Patch given for 1.9.x can be applied to 1.4.x series.

Cheers,
Xavier

Message #41 received at 928944@bugs.debian.org (full text, mbox, reply):

From: Guilhem Moulin <guilhem@debian.org>

To: Xavier <yadd@debian.org>

Cc: 928944@bugs.debian.org

Subject: Re: CVE-2019-12046: lemonldap-ng tokens allows anonymous session when stored in session DB

Date: Tue, 21 May 2019 21:40:35 +0200

[Message part 1 (text/plain, inline)]

Hi Xavier,

     # Load session data into object
     if ($data) {
+        if ( $self->kind ) {
+            unless ( $data->{_session_kind} eq $self->kind ) {
+                $self->error("Session kind mistmatch");
+                return undef;
+            }
+        }

Doesn't that break CDA in 1.9.7-3+deb9u1?  At least I'm no longer able
to access a protected application under domains other than the portal.

Error output shows occurrences of “Session kind mistmatch” instead, and
further debugging suggests that $data->{_session_kind} is "CDA" while
$self->kind is "SSO" in the execution flow that yields access denial.

-- 
Guilhem.

[signature.asc (application/pgp-signature, inline)]

Message #46 received at 928944@bugs.debian.org (full text, mbox, reply):

From: Xavier <yadd@debian.org>

To: Guilhem Moulin <guilhem@debian.org>

Cc: 928944@bugs.debian.org

Subject: Re: CVE-2019-12046: lemonldap-ng tokens allows anonymous session when stored in session DB

Date: Wed, 22 May 2019 07:34:06 +0200

Le 21 mai 2019 21:40:35 GMT+02:00, Guilhem Moulin <guilhem@debian.org> a écrit :
>Hi Xavier,
>
>     # Load session data into object
>     if ($data) {
>+        if ( $self->kind ) {
>+            unless ( $data->{_session_kind} eq $self->kind ) {
>+                $self->error("Session kind mistmatch");
>+                return undef;
>+            }
>+        }
>
>Doesn't that break CDA in 1.9.7-3+deb9u1?  At least I'm no longer able
>to access a protected application under domains other than the portal.
>
>Error output shows occurrences of “Session kind mistmatch” instead, and
>further debugging suggests that $data->{_session_kind} is "CDA" while
>$self->kind is "SSO" in the execution flow that yields access denial.

Hello,

It seems that Clément has fixed something related to that feature. Could you try https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/commit/deff50f072c64898d1204daa28c01fdcc7275ea4 ?

If it's OK, I'll propose a stretch update

-- 
Send with my EELO / K-9 Mail

Message #51 received at 928944@bugs.debian.org (full text, mbox, reply):

From: Guilhem Moulin <guilhem@debian.org>

To: Xavier <yadd@debian.org>

Cc: 928944@bugs.debian.org

Subject: Re: CVE-2019-12046: lemonldap-ng tokens allows anonymous session when stored in session DB

Date: Wed, 22 May 2019 13:47:04 +0200

[Message part 1 (text/plain, inline)]

On Wed, 22 May 2019 at 07:34:06 +0200, Xavier wrote:
> It seems that Clément has fixed something related to that feature.
> Could you try https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/commit/deff50f072c64898d1204daa28c01fdcc7275ea4 ?

That solves the issue indeed, thanks for the pointer!  I ended up
amending the patch as attached though:

 * Not setting the ‘Access-Control-Allow-Origin: *’ header is upstream
   issue #1519, fixed in e6c034a38aa0e7dadcf0ce87809193b327fbc0e5.

 * The second to last hunk from deff50f072c64898d1204daa28c01fdcc7275ea4
   (-2134,8 +2137,10) doesn't apply, and as it's only cosmetic
   (whitespace change) I just skipped it.

Cheers,
-- 
Guilhem.

[llng.diff (text/x-diff, attachment)]

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.