LDAPAccountManager/lam/docs
Roland Gruber 0ac4c8800d removed Blowfish encryption because of bad performance 2005-08-10 19:18:35 +00:00
..
devel removed Blowfish encryption because of bad performance 2005-08-10 19:18:35 +00:00
README.Kolab.txt added note about incompatibility with current Kolab PHP version 2005-08-04 17:58:54 +00:00
README.fpdf.htm added correct file endings, 2004-02-25 19:49:41 +00:00
README.hosts.txt added correct file endings, 2004-02-25 19:49:41 +00:00
README.lamdaemon.txt updated lamdaemon description 2005-07-06 11:07:53 +00:00
README.openldap.txt added correct file endings, 2004-02-25 19:49:41 +00:00
README.schema.txt added Kolab 2005-08-10 15:02:53 +00:00
README.security.txt removed Blowfish encryption because of bad performance 2005-08-10 19:18:35 +00:00

README.security.txt

1. Use of SSL

   The data which is transfered between you and LAM is very sensitive.
   Please always use SSL encrypted connections between LAM and your browser to
   protect yourself against network sniffers.


2. LDAP+SSL and TLS

   LAM should start TLS automatically if possible. LDAP+SSL will be used if you use
   ldaps://servername in your configuration profile.


3. Chrooted servers

   If your server is chrooted and you have no access to /dev/random or /dev/urandom
   this can be a security risk. LAM stores your LDAP password encrypted in the session.
   LAM uses rand() to generate the key if /dev/random and /dev/urandom are not accessible.
   Therefore the key can be easily guessed.
   An attaker needs read access to the session file (e.g. by another Apache instance) to
   exploit this.


4. Protection of your LDAP password and directory contents

   You have to install the MCrypt extension for PHP to enable encryption.

   Your LDAP password is stored encrypted in the session file. The key and IV to decrypt
   it are stored in two cookies. We use MCrypt/AES to encrypt the password.
   All data that was read from LDAP and needs to be stored in the session file is also
   encrypted.