LDAPAccountManager/lam/docs/README.security.txt


1. Use of SSL

   The data which is transfered between you and LAM is very sensitive.
   Please always use SSL encrypted connections between LAM and your browser to
   protect yourself against network sniffers.


2. LDAP+SSL and TLS

   LAM should start TLS automatically if possible. LDAP+SSL will be used if you use
   ldaps://servername in your configuration profile.


3. Chrooted servers

   If your server is chrooted and you have no access to /dev/random or /dev/urandom
   this can be a security risk. LAM stores your LDAP password encrypted in the session.
   LAM uses rand() to generate the key if /dev/random and /dev/urandom are not accessible.
   Therefore the key can be easily guessed.
   An attaker needs read access to the session file (e.g. by another Apache instance) to
   exploit this.


4. Protection of your LDAP password and directory contents

   You have to install the MCrypt extension for PHP to enable encryption.

   Your LDAP password is stored encrypted in the session file. The key and IV to decrypt
   it are stored in two cookies. We use MCrypt/AES to encrypt the password.
   All data that was read from LDAP and needs to be stored in the session file is also
   encrypted.


5. Apache configuration

   LAM includes several .htaccess files to protect your configuration files and temporary
   data. Apache is often configured to not use .htaccess files by default.
   Therefore, please check your Apache configuration and change the override setting to:

     AllowOverride All

   If you are experienced in configuring Apache then you can also copy the security settings
   from the .htaccess files to your main Apache configuration.

   If possible, you should not rely on .htaccess files but also move the config and sess
   directory to a place outside of your WWW root. You can put a symbolic link in the LAM
   directory so that LAM finds the configuration/session files.


   Security sensitive directories:

   config: Contains your LAM configuration and account profiles
           - LAM configuration clear text passwords
           - default values for new accounts
           - directory must be accessibly by Apache but needs not to be accessible by the browser

   sess: PHP session files
         - LAM admin password in clear text or MCrypt encrypted
         - cached LDAP entries in clear text or MCrypt encrypted
         - directory must be accessibly by Apache but needs not to be accessible by the browser

   tmp: temporary files
        - PDF documents which may also include passwords
        - images of your users
        - directory contents must be accessible by browser but directory itself must not be browseable
added correct file endings, updated documentation 2004-02-25 19:49:41 +00:00
			`1. Use of SSL`

			`The data which is transfered between you and LAM is very sensitive.`
			`Please always use SSL encrypted connections between LAM and your browser to`
			`protect yourself against network sniffers.`


			`2. LDAP+SSL and TLS`

			`LAM should start TLS automatically if possible. LDAP+SSL will be used if you use`
			`ldaps://servername in your configuration profile.`


			`3. Chrooted servers`

			`If your server is chrooted and you have no access to /dev/random or /dev/urandom`
			`this can be a security risk. LAM stores your LDAP password encrypted in the session.`
			`LAM uses rand() to generate the key if /dev/random and /dev/urandom are not accessible.`
			`Therefore the key can be easily guessed.`
			`An attaker needs read access to the session file (e.g. by another Apache instance) to`
			`exploit this.`


removed Blowfish encryption because of bad performance 2005-08-10 19:18:35 +00:00			`4. Protection of your LDAP password and directory contents`
added correct file endings, updated documentation 2004-02-25 19:49:41 +00:00
removed Blowfish encryption because of bad performance 2005-08-10 19:18:35 +00:00			`You have to install the MCrypt extension for PHP to enable encryption.`
added correct file endings, updated documentation 2004-02-25 19:49:41 +00:00
removed Blowfish encryption because of bad performance 2005-08-10 19:18:35 +00:00			`Your LDAP password is stored encrypted in the session file. The key and IV to decrypt`
			`it are stored in two cookies. We use MCrypt/AES to encrypt the password.`
			`All data that was read from LDAP and needs to be stored in the session file is also`
			`encrypted.`
added correct file endings, updated documentation 2004-02-25 19:49:41 +00:00

added note on .htaccess files 2007-01-30 18:33:08 +00:00			`5. Apache configuration`

			`LAM includes several .htaccess files to protect your configuration files and temporary`
			`data. Apache is often configured to not use .htaccess files by default.`
			`Therefore, please check your Apache configuration and change the override setting to:`

			`AllowOverride All`

			`If you are experienced in configuring Apache then you can also copy the security settings`
			`from the .htaccess files to your main Apache configuration.`

improved Apache part 2007-03-13 17:43:47 +00:00			`If possible, you should not rely on .htaccess files but also move the config and sess`
			`directory to a place outside of your WWW root. You can put a symbolic link in the LAM`
			`directory so that LAM finds the configuration/session files.`


			`Security sensitive directories:`

			`config: Contains your LAM configuration and account profiles`
			`- LAM configuration clear text passwords`
			`- default values for new accounts`
			`- directory must be accessibly by Apache but needs not to be accessible by the browser`

			`sess: PHP session files`
			`- LAM admin password in clear text or MCrypt encrypted`
			`- cached LDAP entries in clear text or MCrypt encrypted`
			`- directory must be accessibly by Apache but needs not to be accessible by the browser`

			`tmp: temporary files`
			`- PDF documents which may also include passwords`
			`- images of your users`
			`- directory contents must be accessible by browser but directory itself must not be browseable`