444 lines
16 KiB
XML
444 lines
16 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
|
|
<appendix id="a_security">
|
|
<title>Security</title>
|
|
|
|
<section id="a_configPasswords">
|
|
<title>LAM configuration passwords</title>
|
|
|
|
<para>LAM supports a two level authorization system for its
|
|
configuration. Therefore, there are two types of configuration
|
|
passwords:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para><emphasis role="bold">master configuration
|
|
password:</emphasis> needed to change general settings,
|
|
create/delete server profiles and self service profiles</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><emphasis role="bold">server profile password:</emphasis> used
|
|
to change the settings of a server profile (e.g. LDAP server and
|
|
account types to manage)</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>The master configuration password can be used to reset a server
|
|
profile password. Each server profile has its own profile
|
|
password.</para>
|
|
|
|
<para>Both password types are stored as hash values in the configuration
|
|
files for enhanced security.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Use of SSL</title>
|
|
|
|
<para>The data which is transfered between you and LAM is very
|
|
sensitive. Please always use SSL encrypted connections between LAM and
|
|
your browser to protect yourself against network sniffers.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>LDAP with SSL and TLS</title>
|
|
|
|
<para>SSL will be used if you use ldaps://servername in your
|
|
configuration profile. TLS can be activated with the "Activate TLS"
|
|
option.</para>
|
|
|
|
<para>If your LDAP server uses a SSL certificate of a well-know
|
|
certificate authority (CA) then you probably need no changes. If you use
|
|
a custom CA in your company then there are two ways to setup the CA
|
|
certificates.</para>
|
|
|
|
<section>
|
|
<title>Setup SSL certificates in LAM general settings</title>
|
|
|
|
<para>This is much easier than system level setup and will only affect
|
|
LAM. There might be some cases where other web applications on the
|
|
same web server are influenced.</para>
|
|
|
|
<para>See <link linkend="conf_sslCert">here</link> for details.</para>
|
|
</section>
|
|
|
|
<section id="ssl_certSystem">
|
|
<title>Setup SSL certificates on system level</title>
|
|
|
|
<para>This will make the CA certificates available also to other
|
|
applications on your system (e.g. other web applications).</para>
|
|
|
|
<para>You will need to setup ldap.conf to trust your server
|
|
certificate. Some installations use /etc/ldap.conf and some use
|
|
/etc/ldap/ldap.conf. It is a good idea to symlink /etc/ldap.conf to
|
|
/etc/ldap/ldap.conf. Specify the server CA certificate with the
|
|
following option:</para>
|
|
|
|
<programlisting>TLS_CACERT /etc/ldap/ca/myCA/cacert.pem</programlisting>
|
|
|
|
<para>This needs to be the public part of the signing certificate
|
|
authority. See "man ldap.conf" for additional options.</para>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para>You may also need to specify the CA certificate in your Apache
|
|
configuration by using the option "LDAPTrustedGlobalCert":</para>
|
|
|
|
<programlisting>LDAPTrustedGlobalCert CA_BASE64 /etc/ldap/ca/myCA/cacert.pem</programlisting>
|
|
</section>
|
|
</section>
|
|
|
|
<section id="selinux">
|
|
<title>Selinux</title>
|
|
|
|
<para>In case your server has selinux installed you might need to extend
|
|
the selinux ruleset. E.g. your webserver might not be allowed to write
|
|
in /var/lib.</para>
|
|
|
|
<para><emphasis role="bold">Read selinux status</emphasis></para>
|
|
|
|
<para>The following command will tell you if selinux is running in
|
|
Enforcing or Permissive mode.</para>
|
|
|
|
<para>Enforcing: access that does not match rules is denied</para>
|
|
|
|
<para>Permissive: access that does not match rules is granted but logged
|
|
to audit.log</para>
|
|
|
|
<programlisting>getenforce</programlisting>
|
|
|
|
<para><emphasis role="bold">Set selinux to Permissive
|
|
mode</emphasis></para>
|
|
|
|
<para>This will just log any access violations. You will need this to
|
|
get a list of missing rights.</para>
|
|
|
|
<programlisting>setenforce Permissive</programlisting>
|
|
|
|
<para>Now do any actions inside LAM that you need for your daily work
|
|
(e.g. edit server profiles, manage LDAP entries, ...).</para>
|
|
|
|
<para><emphasis role="bold">Extend selinux rules</emphasis></para>
|
|
|
|
<para>Selinux now has logged any violations to audit.log. You can use
|
|
this now to extend your ruleset and enable enforcing later.</para>
|
|
|
|
<para>The following example is for httpd. You can also adapt it to e.g.
|
|
nginx.</para>
|
|
|
|
<programlisting># build additional selinux rules from audit.log
|
|
grep httpd /var/log/audit/audit.log | audit2allow -m httpdlocal -o httpdlocal.te
|
|
</programlisting>
|
|
|
|
<para>The httpdlocal.te might look like this:</para>
|
|
|
|
<programlisting>module httpdlocal 1.0;
|
|
|
|
require {
|
|
type httpd_t;
|
|
type var_lib_t;
|
|
class file { setattr write };
|
|
}
|
|
|
|
#============= httpd_t ==============
|
|
|
|
#!!!! WARNING 'httpd_t' is not allowed to write or create to var_lib_t. Change the label to httpd_var_lib_t.
|
|
#!!!! $ semanage fcontext -a -t httpd_var_lib_t /var/lib/ldap-account-manager/config/lam.conf
|
|
#!!!! $ restorecon -R -v /var/lib/ldap-account-manager/config/lam.conf
|
|
allow httpd_t var_lib_t:file { setattr write };
|
|
</programlisting>
|
|
|
|
<para>Now we can compile and install this rule:</para>
|
|
|
|
<programlisting># build module
|
|
checkmodule -M -m -o httpdlocal.mod httpdlocal.te
|
|
# package module
|
|
semodule_package -o httpdlocal.pp -m httpdlocal.mod
|
|
# install module
|
|
semodule -i httpdlocal.pp</programlisting>
|
|
|
|
<para>Now you can switch back to Enforcing mode:</para>
|
|
|
|
<programlisting>setenforce Enforcing</programlisting>
|
|
|
|
<para>LAM should now work as expected with active selinux.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Chrooted servers</title>
|
|
|
|
<para>If your server is chrooted and you have no access to /dev/random
|
|
or /dev/urandom this can be a security risk. LAM stores your LDAP
|
|
password encrypted in the session. LAM uses rand() to generate the key
|
|
if /dev/random and /dev/urandom are not accessible. Therefore the key
|
|
can be easily guessed. An attaker needs read access to the session file
|
|
(e.g. by another Apache instance) to exploit this.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Protection of your LDAP password and directory contents</title>
|
|
|
|
<para>You have to install the MCrypt extension for PHP to enable
|
|
encryption.</para>
|
|
|
|
<para>Your LDAP password is stored encrypted in the session file. The
|
|
key and IV to decrypt it are stored in two cookies. We use MCrypt/AES to
|
|
encrypt the password. All data that was read from LDAP and needs to be
|
|
stored in the session file is also encrypted.</para>
|
|
</section>
|
|
|
|
<section id="apache">
|
|
<title>Apache configuration</title>
|
|
|
|
<section>
|
|
<title>Sensitive directories</title>
|
|
|
|
<para>LAM includes several .htaccess files to protect your
|
|
configuration files and temporary data. Apache is often configured to
|
|
not use .htaccess files by default. Therefore, please check your
|
|
Apache configuration and change the override setting to:</para>
|
|
|
|
<para>AllowOverride All</para>
|
|
|
|
<para>If you are experienced in configuring Apache then you can also
|
|
copy the security settings from the .htaccess files to your main
|
|
Apache configuration.</para>
|
|
|
|
<para>If possible, you should not rely on .htaccess files but also
|
|
move the config and sess directory to a place outside of your WWW
|
|
root. You can put a symbolic link in the LAM directory so that LAM
|
|
finds the configuration/session files.</para>
|
|
|
|
<para>Security sensitive directories:</para>
|
|
|
|
<para><emphasis role="bold">config: </emphasis>Contains your LAM
|
|
configuration and account profiles</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>LAM configuration passwords (SSHA hashed)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>default values for new accounts</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>directory must be accessibly by Apache but needs not to be
|
|
accessible by the browser</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para><emphasis role="bold">sess:</emphasis> PHP session files</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>LAM admin password in clear text or MCrypt encrypted</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>cached LDAP entries in clear text or MCrypt encrypted</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>directory must be accessibly by Apache but needs not to be
|
|
accessible by the browser</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para><emphasis role="bold">tmp:</emphasis> temporary files</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>PDF documents which may also include passwords</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>images of your users</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>directory contents must be accessible by browser but
|
|
directory itself needs not to be browseable</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
|
|
<section id="apache_http_auth">
|
|
<title>Use LDAP HTTP authentication for LAM</title>
|
|
|
|
<para>With HTTP authentication Apache will be responsible to ask for
|
|
the user name and password. Both will then be forwarded to LAM which
|
|
will use it to access LDAP. This approach gives you more flexibility
|
|
to restrict the number of users that may access LAM (e.g. by requiring
|
|
group memberships).</para>
|
|
|
|
<para>First of all you need to load additional Apache modules. These
|
|
are "<ulink
|
|
url="http://httpd.apache.org/docs/2.2/mod/mod_ldap.html">mod_ldap</ulink>"
|
|
and "<ulink type=""
|
|
url="http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html">mod_authnz_ldap</ulink>".</para>
|
|
|
|
<para>Next you can add a file called "lam_auth_ldap" to
|
|
/etc/apache/conf.d. This simple example restricts access to all URLs
|
|
beginning with "lam" to LDAP authentication.</para>
|
|
|
|
<programlisting><location /lam>
|
|
AuthType Basic
|
|
AuthBasicProvider ldap
|
|
AuthName "LAM"
|
|
AuthLDAPURL "ldap://localhost:389/ou=People,dc=company,dc=com?uid"
|
|
Require valid-user
|
|
</location></programlisting>
|
|
|
|
<para>You can also require that your users belong to a certain Unix
|
|
group in LDAP:</para>
|
|
|
|
<programlisting><location /lam>
|
|
AuthType Basic
|
|
AuthBasicProvider ldap
|
|
AuthName "LAM"
|
|
AuthLDAPURL "ldap://localhost:389/ou=People,dc=company,dc=com?uid"
|
|
Require valid-user
|
|
# force membership of lam-admins
|
|
AuthLDAPGroupAttribute memberUid
|
|
AuthLDAPGroupAttributeIsDN off
|
|
Require ldap-group cn=lam-admins,ou=group,dc=company,dc=com
|
|
</location></programlisting>
|
|
|
|
<para>Please see the <ulink
|
|
url="http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html">Apache
|
|
documentation</ulink> for more details.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Self Service behind proxy in DMZ (LAM Pro)</title>
|
|
|
|
<para>In some cases you might want to make the self service accessible
|
|
via the internet. Here is an Apache config to forward only the
|
|
required URLs via a proxy server (lamproxy.company.com) in your DMZ to
|
|
the internal LAM server (lam.company.com).</para>
|
|
|
|
<para><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/selfServiceProxy.png" />
|
|
</imageobject>
|
|
</inlinemediaobject></para>
|
|
|
|
<para>This configuration allows your users to open
|
|
https://lamproxy.company.com which will then proxy the self service on
|
|
the internal server.</para>
|
|
|
|
<programlisting><VirtualHost lamproxy.company.com:443>
|
|
ServerName lamproxy.company.com
|
|
ErrorLog /var/log/apache2/lam-proxy-error.log
|
|
CustomLog /var/log/apache2/lam-proxy-access.log combined
|
|
DocumentRoot /var/www/lam-proxy
|
|
<Proxy *>
|
|
Order deny,allow
|
|
Allow from all
|
|
</Proxy>
|
|
SSLProxyEngine on
|
|
SSLEngine on
|
|
SSLCertificateFile /etc/apache2/ssl/apache.pem
|
|
ProxyPreserveHost On
|
|
ProxyRequests off
|
|
loglevel info
|
|
|
|
# redirect front page to self service login page
|
|
RewriteEngine on
|
|
RedirectMatch ^/$ /templates/selfService/selfServiceLogin.php?scope=user\&name=lam
|
|
|
|
# proxy required URLs
|
|
ProxyPass /tmp https://lam.company.com/lam/tmp
|
|
ProxyPass /sess https://lam.company.com/lam/sess
|
|
ProxyPass /templates/lib https://lam.company.com/lam/templates/lib
|
|
ProxyPass /templates/selfService https://lam.company.com/lam/templates/selfService
|
|
ProxyPass /style https://lam.company.com/lam/style
|
|
ProxyPass /graphics https://lam.company.com/lam/graphics
|
|
|
|
ProxyPassReverse /tmp https://lam.company.com/lam/tmp
|
|
ProxyPassReverse /sess https://lam.company.com/lam/sess
|
|
ProxyPassReverse /templates/lib https://lam.company.com/lam/templates/lib
|
|
ProxyPassReverse /templates/selfService https://lam.company.com/lam/templates/selfService
|
|
ProxyPassReverse /style https://lam.company.com/lam/style
|
|
ProxyPassReverse /graphics https://lam.company.com/lam/graphics
|
|
</VirtualHost></programlisting>
|
|
</section>
|
|
</section>
|
|
|
|
<section id="nginx">
|
|
<title>Nginx configuration</title>
|
|
|
|
<para>There is no fully automatic setup of Nginx but LAM provides a
|
|
ready-to-use configuration file.</para>
|
|
|
|
<section>
|
|
<title>RPM based installations</title>
|
|
|
|
<para>The RPM package has dependencies on Apache. Therefore, Nginx is
|
|
not officially supported with this installation mode. Use tar.bz2 if
|
|
you are unsure.</para>
|
|
|
|
<para>However, the package also includes an Nginx configuration file.
|
|
Please include it in your server directive like this:</para>
|
|
|
|
<programlisting>server {
|
|
...
|
|
|
|
include /etc/ldap-account-manager/lam.nginx.conf;
|
|
|
|
...
|
|
}</programlisting>
|
|
</section>
|
|
|
|
<section>
|
|
<title>DEB based installations</title>
|
|
|
|
<para>The LAM installation package ships with an Nginx configuration
|
|
file. Please include it in your server directive like this:</para>
|
|
|
|
<programlisting>server {
|
|
...
|
|
|
|
include /etc/ldap-account-manager/lam.nginx.conf;
|
|
|
|
...
|
|
}</programlisting>
|
|
</section>
|
|
|
|
<section>
|
|
<title>tar.bz2 based installations</title>
|
|
|
|
<para>Please add the following configuration snippet to your server
|
|
directive.</para>
|
|
|
|
<para>You will need to change the alias location
|
|
("/usr/share/ldap-account-manager") and fastcgi_pass
|
|
("/var/run/php5-fpm.sock") to match your installation.</para>
|
|
|
|
<programlisting>location /lam {
|
|
index index.html;
|
|
alias /usr/share/ldap-account-manager;
|
|
autoindex off;
|
|
|
|
location ~ \.php$ {
|
|
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
|
fastcgi_pass unix:/var/run/php5-fpm.sock;
|
|
fastcgi_index index.php;
|
|
include fastcgi_params;
|
|
}
|
|
|
|
location ~ /lam/(tmp/internal|sess|config|lib|help|locale) {
|
|
deny all;
|
|
return 403;
|
|
}
|
|
|
|
}
|
|
</programlisting>
|
|
</section>
|
|
</section>
|
|
</appendix>
|