-
v2.0.1 protected
Minor bug and regression fixes for v2.0.0 Value formatting of OAuth2 logout URIs in the service admin interface did not add separating newlines. The service overview page returned 404 (Not Found) in cases it previously did not. The behavior was changed for consistency with other pages.
-
v2.0.0 protected
Major release removing LDAP support Added: * Service and non-service users may use the same Unix UID range * CLI commands for managing users, groups and roles * 2FA status of users is visible in admin interface * Database-stored service objects that group OAuth2 and API clients together Removed: * Support for old invite, selfservice and signup links (deprecated in v1.1.1) * ENABLE_INVITE, ENABLE_PASSWORDRESET, ENABLE_ROLESELFSERVICE config options Changed: * User, group and mail alias data is stored in the database instead of an LDAP server. Existing objects are imported. All LDAP support is removed. * Receive addresses of mail aliases are subject to alphabet constraints and converted to lower-case on import * Group names are subject to alphabet and length constraints * OAuth2 clients * Removed parameter "login_message" * Parameter "group_required" no longer supports AND/OR conjunctions of multiple groups, only a single group name * Clients defined with OAUTH2_CLIENTS config option moved to database. Existing clients are imported. * Service name is displayed in place of the client_id during device login * OAuth2 userinfo endpoint no longer exposes "ldap_dn" * API clients * Removed API_CLIENTS config option (deprecated in v1.2.0) * Clients defined with API_CLIENTS_2 config option moved to database. Existing clients are imported. * Argon2 replaces salted SHA256 for hashing user passwords. Existing passwords are gradually migrated on login. Argon2 has a significant impact on CPU and memory utilization. * Default UWSGI config uses multiple workers * Enabled foreign key support for SQLite * Expired objects are no longer deleted during request processing. Instead the CLI command "cleanup" must be run at least daily. The Debian package includes a cron job for this. * Environment variable CONFIG_PATH superseds CONFIG_FILENAME * The default value of config option ACL_ACCESS_GROUP changed See UPGRADE.md for detailed upgrade instructions. -
v1.2.0 protected
New API auth mechanism, deprecation of old one The old Bearer-based authentication (config key API_CLIENTS) is deprecated and will be removed in v2.0.0. The new auth mechanism uses config key API_CLIENTS_2.