LDAPAccountManager/lam/docs
Roland Gruber 35d175450f added td:width for meta HTML code;
fixed problem with module order and PHP5
2005-07-05 12:46:53 +00:00
..
devel added docs for login page 2005-06-06 20:11:53 +00:00
LGPL-license.txt updated license information 2004-02-25 17:16:08 +00:00
README.fpdf.htm added correct file endings, 2004-02-25 19:49:41 +00:00
README.hosts.txt added correct file endings, 2004-02-25 19:49:41 +00:00
README.lamdaemon.txt implemented user+passwd in STDIN 2005-03-05 13:23:59 +00:00
README.openldap.txt added correct file endings, 2004-02-25 19:49:41 +00:00
README.schema.txt added information about used schema files 2005-05-21 13:57:28 +00:00
README.security.txt added correct file endings, 2004-02-25 19:49:41 +00:00
modules-specification.htm added td:width for meta HTML code; 2005-07-05 12:46:53 +00:00

README.security.txt

1. Use of SSL

   The data which is transfered between you and LAM is very sensitive.
   Please always use SSL encrypted connections between LAM and your browser to
   protect yourself against network sniffers.


2. LDAP+SSL and TLS

   LAM should start TLS automatically if possible. LDAP+SSL will be used if you use
   ldaps://servername in your configuration profile.


3. Chrooted servers

   If your server is chrooted and you have no access to /dev/random or /dev/urandom
   this can be a security risk. LAM stores your LDAP password encrypted in the session.
   LAM uses rand() to generate the key if /dev/random and /dev/urandom are not accessible.
   Therefore the key can be easily guessed.
   An attaker needs read access to the session file (e.g. by another Apache instance) to
   exploit this.


4. LDAP password protection

   Your LDAP password is stored encrypted in the session file. The key and IV to decrypt
   it are stored in two cookies. We use MCrypt/AES or Blowfish to encrypt the password.


5. Protection of new user passwords

   These passwords are, if stored in the session file, encrypted with the same key and IV
   as your LDAP password.