2004-02-25 19:49:41 +00:00
|
|
|
|
|
|
|
|
1. Use of SSL
|
|
|
|
|
|
|
|
|
|
The data which is transfered between you and LAM is very sensitive.
|
|
|
|
|
Please always use SSL encrypted connections between LAM and your browser to
|
|
|
|
|
protect yourself against network sniffers.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2. LDAP+SSL and TLS
|
|
|
|
|
|
|
|
|
|
LAM should start TLS automatically if possible. LDAP+SSL will be used if you use
|
|
|
|
|
ldaps://servername in your configuration profile.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3. Chrooted servers
|
|
|
|
|
|
|
|
|
|
If your server is chrooted and you have no access to /dev/random or /dev/urandom
|
|
|
|
|
this can be a security risk. LAM stores your LDAP password encrypted in the session.
|
|
|
|
|
LAM uses rand() to generate the key if /dev/random and /dev/urandom are not accessible.
|
|
|
|
|
Therefore the key can be easily guessed.
|
|
|
|
|
An attaker needs read access to the session file (e.g. by another Apache instance) to
|
|
|
|
|
exploit this.
|
|
|
|
|
|
|
|
|
|
|
2005-08-10 19:18:35 +00:00
|
|
|
4. Protection of your LDAP password and directory contents
|
2004-02-25 19:49:41 +00:00
|
|
|
|
2005-08-10 19:18:35 +00:00
|
|
|
You have to install the MCrypt extension for PHP to enable encryption.
|
2004-02-25 19:49:41 +00:00
|
|
|
|
2005-08-10 19:18:35 +00:00
|
|
|
Your LDAP password is stored encrypted in the session file. The key and IV to decrypt
|
|
|
|
|
it are stored in two cookies. We use MCrypt/AES to encrypt the password.
|
|
|
|
|
All data that was read from LDAP and needs to be stored in the session file is also
|
|
|
|
|
encrypted.
|
2004-02-25 19:49:41 +00:00
|
|
|
|
|
|
|
|
|
