SecurityLAM configuration passwordsLAM supports a two level authorization system for its
configuration. Therefore, there are two types of configuration
passwords:master configuration
password: needed to change general settings,
create/delete server profiles and self service profilesserver profile password: used
to change the settings of a server profile (e.g. LDAP server and
account types to manage)The master configuration password can be used to reset a server
profile password. Each server profile has its own profile
password.Both password types are stored as hash values in the configuration
files for enhanced security.Use of SSLThe data which is transfered between you and LAM is very
sensitive. Please always use SSL encrypted connections between LAM and
your browser to protect yourself against network sniffers.LDAP with SSL and TLSSSL will be used if you use ldaps://servername in your
configuration profile. TLS can be activated with the "Activate TLS"
option.If your LDAP server uses a SSL certificate of a well-know
certificate authority (CA) then you probably need no changes. If you use
a custom CA in your company then there are two ways to setup the CA
certificates.Setup SSL certificates in LAM general settingsThis is much easier than system level setup and will only affect
LAM. There might be some cases where other web applications on the
same web server are influenced.See here for details.Setup SSL certificates on system levelThis will make the CA certificates available also to other
applications on your system (e.g. other web applications).You will need to setup ldap.conf to trust your server
certificate. Some installations use /etc/ldap.conf and some use
/etc/ldap/ldap.conf. It is a good idea to symlink /etc/ldap.conf to
/etc/ldap/ldap.conf. Specify the server CA certificate with the
following option:TLS_CACERT /etc/ldap/ca/myCA/cacert.pemThis needs to be the public part of the signing certificate
authority. See "man ldap.conf" for additional options.You may also need to specify the CA certificate in your Apache
configuration by using the option "LDAPTrustedGlobalCert":LDAPTrustedGlobalCert CA_BASE64 /etc/ldap/ca/myCA/cacert.pemSelinuxIn case your server has selinux installed you might need to extend
the selinux ruleset. E.g. your webserver might not be allowed to write
in /var/lib.Read selinux statusThe following command will tell you if selinux is running in
Enforcing or Permissive mode.Enforcing: access that does not match rules is deniedPermissive: access that does not match rules is granted but logged
to audit.loggetenforceSet selinux to Permissive
modeThis will just log any access violations. You will need this to
get a list of missing rights.setenforce PermissiveNow do any actions inside LAM that you need for your daily work
(e.g. edit server profiles, manage LDAP entries, ...).Extend selinux rulesSelinux now has logged any violations to audit.log. You can use
this now to extend your ruleset and enable enforcing later.The following example is for httpd. You can also adapt it to e.g.
nginx.# build additional selinux rules from audit.log
grep httpd /var/log/audit/audit.log | audit2allow -m httpdlocal -o httpdlocal.te
The httpdlocal.te might look like this:module httpdlocal 1.0;
require {
type httpd_t;
type var_lib_t;
class file { setattr write };
}
#============= httpd_t ==============
#!!!! WARNING 'httpd_t' is not allowed to write or create to var_lib_t. Change the label to httpd_var_lib_t.
#!!!! $ semanage fcontext -a -t httpd_var_lib_t /var/lib/ldap-account-manager/config/lam.conf
#!!!! $ restorecon -R -v /var/lib/ldap-account-manager/config/lam.conf
allow httpd_t var_lib_t:file { setattr write };
Now we can compile and install this rule:# build module
checkmodule -M -m -o httpdlocal.mod httpdlocal.te
# package module
semodule_package -o httpdlocal.pp -m httpdlocal.mod
# install module
semodule -i httpdlocal.ppNow you can switch back to Enforcing mode:setenforce EnforcingLAM should now work as expected with active selinux.Chrooted serversIf your server is chrooted and you have no access to /dev/random
or /dev/urandom this can be a security risk. LAM stores your LDAP
password encrypted in the session. LAM uses rand() to generate the key
if /dev/random and /dev/urandom are not accessible. Therefore the key
can be easily guessed. An attaker needs read access to the session file
(e.g. by another Apache instance) to exploit this.Protection of your LDAP password and directory contentsYou have to install the OpenSSL extension for PHP to enable
encryption.Your LDAP password is stored encrypted in the session file. The
key and IV to decrypt it are stored in two cookies. We use OpenSSL/AES to
encrypt the password. All data that was read from LDAP and needs to be
stored in the session file is also encrypted.Apache configurationSensitive directoriesLAM includes several .htaccess files to protect your
configuration files and temporary data. Apache is often configured to
not use .htaccess files by default. Therefore, please check your
Apache configuration and change the override setting to:AllowOverride AllIf you are experienced in configuring Apache then you can also
copy the security settings from the .htaccess files to your main
Apache configuration.If possible, you should not rely on .htaccess files but also
move the config and sess directory to a place outside of your WWW
root. You can put a symbolic link in the LAM directory so that LAM
finds the configuration/session files.Security sensitive directories:config: Contains your LAM
configuration and account profilesLAM configuration passwords (SSHA hashed)default values for new accountsdirectory must be accessibly by Apache but needs not to be
accessible by the browsersess: PHP session filesLAM admin password in clear text or OpenSSL encryptedcached LDAP entries in clear text or OpenSSL encrypteddirectory must be accessibly by Apache but needs not to be
accessible by the browsertmp: temporary filesPDF documents which may also include passwordsimages of your usersdirectory contents must be accessible by browser but
directory itself needs not to be browseableUse LDAP HTTP authentication for LAMWith HTTP authentication Apache will be responsible to ask for
the user name and password. Both will then be forwarded to LAM which
will use it to access LDAP. This approach gives you more flexibility
to restrict the number of users that may access LAM (e.g. by requiring
group memberships).First of all you need to load additional Apache modules. These
are "mod_ldap"
and "mod_authnz_ldap".Next you can add a file called "lam_auth_ldap" to
/etc/apache/conf.d. This simple example restricts access to all URLs
beginning with "lam" to LDAP authentication.<location /lam>
AuthType Basic
AuthBasicProvider ldap
AuthName "LAM"
AuthLDAPURL "ldap://localhost:389/ou=People,dc=company,dc=com?uid"
Require valid-user
</location>You can also require that your users belong to a certain Unix
group in LDAP:<location /lam>
AuthType Basic
AuthBasicProvider ldap
AuthName "LAM"
AuthLDAPURL "ldap://localhost:389/ou=People,dc=company,dc=com?uid"
Require valid-user
# force membership of lam-admins
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off
Require ldap-group cn=lam-admins,ou=group,dc=company,dc=com
</location>Please see the Apache
documentation for more details.Self Service behind proxy in DMZ (LAM Pro)In some cases you might want to make the self service accessible
via the internet. Here is an Apache config to forward only the
required URLs via a proxy server (lamproxy.company.com) in your DMZ to
the internal LAM server (lam.company.com).This configuration allows your users to open
https://lamproxy.company.com which will then proxy the self service on
the internal server.<VirtualHost lamproxy.company.com:443>
ServerName lamproxy.company.com
ErrorLog /var/log/apache2/lam-proxy-error.log
CustomLog /var/log/apache2/lam-proxy-access.log combined
DocumentRoot /var/www/lam-proxy
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
SSLProxyEngine on
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.pem
ProxyPreserveHost On
ProxyRequests off
loglevel info
# redirect front page to self service login page
RewriteEngine on
RedirectMatch ^/$ /templates/selfService/selfServiceLogin.php?scope=user\&name=lam
# proxy required URLs
ProxyPass /tmp https://lam.company.com/lam/tmp
ProxyPass /sess https://lam.company.com/lam/sess
ProxyPass /templates/lib https://lam.company.com/lam/templates/lib
ProxyPass /templates/selfService https://lam.company.com/lam/templates/selfService
ProxyPass /style https://lam.company.com/lam/style
ProxyPass /graphics https://lam.company.com/lam/graphics
ProxyPassReverse /tmp https://lam.company.com/lam/tmp
ProxyPassReverse /sess https://lam.company.com/lam/sess
ProxyPassReverse /templates/lib https://lam.company.com/lam/templates/lib
ProxyPassReverse /templates/selfService https://lam.company.com/lam/templates/selfService
ProxyPassReverse /style https://lam.company.com/lam/style
ProxyPassReverse /graphics https://lam.company.com/lam/graphics
</VirtualHost>Nginx configurationThere is no fully automatic setup of Nginx but LAM provides a
ready-to-use configuration file.RPM based installationsThe RPM package has dependencies on Apache. Therefore, Nginx is
not officially supported with this installation mode. Use tar.bz2 if
you are unsure.However, the package also includes an Nginx configuration file.
Please include it in your server directive like this:server {
...
include /etc/ldap-account-manager/lam.nginx.conf;
...
}DEB based installationsThe LAM installation package ships with an Nginx configuration
file. Please include it in your server directive like this:server {
...
include /etc/ldap-account-manager/lam.nginx.conf;
...
}tar.bz2 based installationsPlease add the following configuration snippet to your server
directive.You will need to change the alias location
("/usr/share/ldap-account-manager") and fastcgi_pass
("/var/run/php5-fpm.sock") to match your installation.location /lam {
index index.html;
alias /usr/share/ldap-account-manager;
autoindex off;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
location ~ /lam/(tmp/internal|sess|config|lib|help|locale) {
deny all;
return 403;
}
}