449 lines
16 KiB
XML
449 lines
16 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
|
|
<appendix id="a_security">
|
|
<title>Security</title>
|
|
|
|
<section id="a_configPasswords">
|
|
<title>LAM configuration passwords</title>
|
|
|
|
<para>LAM supports a two level authorization system for its configuration.
|
|
Therefore, there are two types of configuration passwords:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para><emphasis role="bold">master configuration password:</emphasis>
|
|
needed to change general settings, create/delete server profiles and
|
|
self service profiles</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><emphasis role="bold">server profile password:</emphasis> used
|
|
to change the settings of a server profile (e.g. LDAP server and
|
|
account types to manage)</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>The master configuration password can be used to reset a server
|
|
profile password. Each server profile has its own profile password.</para>
|
|
|
|
<para>Both password types are stored as hash values in the configuration
|
|
files for enhanced security.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Use of SSL</title>
|
|
|
|
<para>The data which is transfered between you and LAM is very sensitive.
|
|
Please always use SSL encrypted connections between LAM and your browser
|
|
to protect yourself against network sniffers.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>LDAP with SSL and TLS</title>
|
|
|
|
<para>SSL will be used if you use ldaps://servername in your configuration
|
|
profile. TLS can be activated with the "Activate TLS" option.</para>
|
|
|
|
<para>If your LDAP server uses a SSL certificate of a well-know
|
|
certificate authority (CA) then you probably need no changes. If you use a
|
|
custom CA in your company then there are two ways to setup the CA
|
|
certificates.</para>
|
|
|
|
<section>
|
|
<title>Setup SSL certificates in LAM general settings</title>
|
|
|
|
<para>This is much easier than system level setup and will only affect
|
|
LAM. There might be some cases where other web applications on the same
|
|
web server are influenced.</para>
|
|
|
|
<para>See <link linkend="conf_sslCert">here</link> for details.</para>
|
|
</section>
|
|
|
|
<section id="ssl_certSystem">
|
|
<title>Setup SSL certificates on system level</title>
|
|
|
|
<para>This will make the CA certificates available also to other
|
|
applications on your system (e.g. other web applications).</para>
|
|
|
|
<para>You will need to setup ldap.conf to trust your server certificate.
|
|
Some installations use /etc/ldap.conf and some use /etc/ldap/ldap.conf.
|
|
It is a good idea to symlink /etc/ldap.conf to /etc/ldap/ldap.conf.
|
|
Specify the server CA certificate with the following option:</para>
|
|
|
|
<programlisting>TLS_CACERT /etc/ldap/ca/myCA/cacert.pem</programlisting>
|
|
|
|
<para>This needs to be the public part of the signing certificate
|
|
authority. See "man ldap.conf" for additional options.</para>
|
|
|
|
<literallayout>
|
|
</literallayout>
|
|
|
|
<para>You may also need to specify the CA certificate in your Apache
|
|
configuration by using the option "LDAPTrustedGlobalCert":</para>
|
|
|
|
<programlisting>LDAPTrustedGlobalCert CA_BASE64 /etc/ldap/ca/myCA/cacert.pem</programlisting>
|
|
</section>
|
|
</section>
|
|
|
|
<section id="selinux">
|
|
<title>Selinux</title>
|
|
|
|
<para>In case your server has selinux installed you might need to extend
|
|
the selinux ruleset. E.g. your webserver might not be allowed to write in
|
|
/var/lib.</para>
|
|
|
|
<para><emphasis role="bold">Read selinux status</emphasis></para>
|
|
|
|
<para>The following command will tell you if selinux is running in
|
|
Enforcing or Permissive mode.</para>
|
|
|
|
<para>Enforcing: access that does not match rules is denied</para>
|
|
|
|
<para>Permissive: access that does not match rules is granted but logged
|
|
to audit.log</para>
|
|
|
|
<programlisting>getenforce</programlisting>
|
|
|
|
<para><emphasis role="bold">Set selinux to Permissive
|
|
mode</emphasis></para>
|
|
|
|
<para>This will just log any access violations. You will need this to get
|
|
a list of missing rights.</para>
|
|
|
|
<programlisting>setenforce Permissive</programlisting>
|
|
|
|
<para>Now do any actions inside LAM that you need for your daily work
|
|
(e.g. edit server profiles, manage LDAP entries, ...).</para>
|
|
|
|
<para><emphasis role="bold">Extend selinux rules</emphasis></para>
|
|
|
|
<para>Selinux now has logged any violations to audit.log. You can use this
|
|
now to extend your ruleset and enable enforcing later.</para>
|
|
|
|
<para>The following example is for httpd. You can also adapt it to e.g.
|
|
nginx.</para>
|
|
|
|
<programlisting># build additional selinux rules from audit.log
|
|
grep httpd /var/log/audit/audit.log | audit2allow -m httpdlocal -o httpdlocal.te
|
|
</programlisting>
|
|
|
|
<para>The httpdlocal.te might look like this:</para>
|
|
|
|
<programlisting>module httpdlocal 1.0;
|
|
|
|
require {
|
|
type httpd_t;
|
|
type var_lib_t;
|
|
class file { setattr write };
|
|
}
|
|
|
|
#============= httpd_t ==============
|
|
|
|
#!!!! WARNING 'httpd_t' is not allowed to write or create to var_lib_t. Change the label to httpd_var_lib_t.
|
|
#!!!! $ semanage fcontext -a -t httpd_var_lib_t /var/lib/ldap-account-manager/config/lam.conf
|
|
#!!!! $ restorecon -R -v /var/lib/ldap-account-manager/config/lam.conf
|
|
allow httpd_t var_lib_t:file { setattr write };
|
|
</programlisting>
|
|
|
|
<para>Now we can compile and install this rule:</para>
|
|
|
|
<programlisting># build module
|
|
checkmodule -M -m -o httpdlocal.mod httpdlocal.te
|
|
# package module
|
|
semodule_package -o httpdlocal.pp -m httpdlocal.mod
|
|
# install module
|
|
semodule -i httpdlocal.pp</programlisting>
|
|
|
|
<para>Now you can switch back to Enforcing mode:</para>
|
|
|
|
<programlisting>setenforce Enforcing</programlisting>
|
|
|
|
<para>LAM should now work as expected with active selinux.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Chrooted servers</title>
|
|
|
|
<para>If your server is chrooted and you have no access to /dev/random or
|
|
/dev/urandom this can be a security risk. LAM stores your LDAP password
|
|
encrypted in the session. LAM uses rand() to generate the key if
|
|
/dev/random and /dev/urandom are not accessible. Therefore the key can be
|
|
easily guessed. An attaker needs read access to the session file (e.g. by
|
|
another Apache instance) to exploit this.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Protection of your LDAP password and directory contents</title>
|
|
|
|
<para>You have to install the OpenSSL extension for PHP to enable
|
|
encryption.</para>
|
|
|
|
<para>Your LDAP password is stored encrypted in the session file. The key
|
|
and IV to decrypt it are stored in two cookies. We use OpenSSL/AES to
|
|
encrypt the password. All data that was read from LDAP and needs to be
|
|
stored in the session file is also encrypted.</para>
|
|
</section>
|
|
|
|
<section id="apache">
|
|
<title>Apache configuration</title>
|
|
|
|
<section>
|
|
<title>Sensitive directories</title>
|
|
|
|
<para>LAM includes several .htaccess files to protect your configuration
|
|
files and temporary data. Apache is often configured to not use
|
|
.htaccess files by default. Therefore, please check your Apache
|
|
configuration and change the override setting to:</para>
|
|
|
|
<para>AllowOverride All</para>
|
|
|
|
<para>If you are experienced in configuring Apache then you can also
|
|
copy the security settings from the .htaccess files to your main Apache
|
|
configuration.</para>
|
|
|
|
<para>If possible, you should not rely on .htaccess files but also move
|
|
the config and sess directory to a place outside of your WWW root. You
|
|
can put a symbolic link in the LAM directory so that LAM finds the
|
|
configuration/session files.</para>
|
|
|
|
<para>Security sensitive directories:</para>
|
|
|
|
<para><emphasis role="bold">config: </emphasis>Contains your LAM
|
|
configuration and account profiles</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>LAM configuration passwords (SSHA hashed)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>default values for new accounts</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>directory must be accessibly by Apache but needs not to be
|
|
accessible by the browser</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para><emphasis role="bold">sess:</emphasis> PHP session files</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>LAM admin password in clear text or OpenSSL encrypted</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>cached LDAP entries in clear text or OpenSSL encrypted</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>directory must be accessibly by Apache but needs not to be
|
|
accessible by the browser</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para><emphasis role="bold">tmp:</emphasis> temporary files</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>PDF documents which may also include passwords</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>images of your users</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>directory contents must be accessible by browser but directory
|
|
itself needs not to be browseable</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
|
|
<section id="apache_http_auth">
|
|
<title>Use LDAP HTTP authentication for LAM</title>
|
|
|
|
<para>With HTTP authentication Apache will be responsible to ask for the
|
|
user name and password. Both will then be forwarded to LAM which will
|
|
use it to access LDAP. This approach gives you more flexibility to
|
|
restrict the number of users that may access LAM (e.g. by requiring
|
|
group memberships).</para>
|
|
|
|
<para>First of all you need to load additional Apache modules. These are
|
|
"<ulink
|
|
url="http://httpd.apache.org/docs/2.2/mod/mod_ldap.html">mod_ldap</ulink>"
|
|
and "<ulink type=""
|
|
url="http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html">mod_authnz_ldap</ulink>".</para>
|
|
|
|
<para>Next you can add a file called "lam_auth_ldap" to
|
|
/etc/apache/conf.d. This simple example restricts access to all URLs
|
|
beginning with "lam" to LDAP authentication.</para>
|
|
|
|
<programlisting><location /lam>
|
|
AuthType Basic
|
|
AuthBasicProvider ldap
|
|
AuthName "LAM"
|
|
AuthLDAPURL "ldap://localhost:389/ou=People,dc=company,dc=com?uid"
|
|
Require valid-user
|
|
</location></programlisting>
|
|
|
|
<para>You can also require that your users belong to a certain Unix
|
|
group in LDAP:</para>
|
|
|
|
<programlisting><location /lam>
|
|
AuthType Basic
|
|
AuthBasicProvider ldap
|
|
AuthName "LAM"
|
|
AuthLDAPURL "ldap://localhost:389/ou=People,dc=company,dc=com?uid"
|
|
Require valid-user
|
|
# force membership of lam-admins
|
|
AuthLDAPGroupAttribute memberUid
|
|
AuthLDAPGroupAttributeIsDN off
|
|
Require ldap-group cn=lam-admins,ou=group,dc=company,dc=com
|
|
</location></programlisting>
|
|
|
|
<para>Please see the <ulink
|
|
url="http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html">Apache
|
|
documentation</ulink> for more details.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Self Service behind proxy in DMZ (LAM Pro)</title>
|
|
|
|
<para>In some cases you might want to make the self service accessible
|
|
via the internet. Here is an Apache config to forward only the required
|
|
URLs via a proxy server (lamproxy.company.com) in your DMZ to the
|
|
internal LAM server (lam.company.com).</para>
|
|
|
|
<para><inlinemediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="images/selfServiceProxy.png"/>
|
|
</imageobject>
|
|
</inlinemediaobject></para>
|
|
|
|
<para>This configuration allows your users to open
|
|
https://lamproxy.company.com which will then proxy the self service on
|
|
the internal server.</para>
|
|
|
|
<programlisting><VirtualHost lamproxy.company.com:443>
|
|
ServerName lamproxy.company.com
|
|
ErrorLog /var/log/apache2/lam-proxy-error.log
|
|
CustomLog /var/log/apache2/lam-proxy-access.log combined
|
|
DocumentRoot /var/www/lam-proxy
|
|
<Proxy *>
|
|
Require all granted
|
|
</Proxy>
|
|
SSLProxyEngine on
|
|
SSLEngine on
|
|
SSLCertificateFile /etc/apache2/ssl/apache.pem
|
|
ProxyPreserveHost On
|
|
ProxyRequests off
|
|
loglevel info
|
|
|
|
# redirect front page to self service login page
|
|
RewriteEngine on
|
|
RedirectMatch ^/$ /templates/selfService/selfServiceLogin.php?scope=user\&name=lam
|
|
|
|
# proxy required URLs
|
|
ProxyPass /tmp https://lam.company.com/lam/tmp
|
|
ProxyPass /sess https://lam.company.com/lam/sess
|
|
ProxyPass /templates/lib https://lam.company.com/lam/templates/lib
|
|
ProxyPass /templates/selfService https://lam.company.com/lam/templates/selfService
|
|
ProxyPass /style https://lam.company.com/lam/style
|
|
ProxyPass /graphics https://lam.company.com/lam/graphics
|
|
|
|
ProxyPassReverse /tmp https://lam.company.com/lam/tmp
|
|
ProxyPassReverse /sess https://lam.company.com/lam/sess
|
|
ProxyPassReverse /templates/lib https://lam.company.com/lam/templates/lib
|
|
ProxyPassReverse /templates/selfService https://lam.company.com/lam/templates/selfService
|
|
ProxyPassReverse /style https://lam.company.com/lam/style
|
|
ProxyPassReverse /graphics https://lam.company.com/lam/graphics
|
|
</VirtualHost></programlisting>
|
|
</section>
|
|
</section>
|
|
|
|
<section id="nginx">
|
|
<title>Nginx configuration</title>
|
|
|
|
<para>There is no fully automatic setup of Nginx but LAM provides a
|
|
ready-to-use configuration file.</para>
|
|
|
|
<section>
|
|
<title>RPM based installations</title>
|
|
|
|
<para>The RPM package has dependencies on Apache. Therefore, Nginx is
|
|
not officially supported with this installation mode. Use tar.bz2 if you
|
|
are unsure.</para>
|
|
|
|
<para>However, the package also includes an Nginx configuration file.
|
|
Please include it in your server directive like this:</para>
|
|
|
|
<programlisting>server {
|
|
...
|
|
|
|
include /etc/ldap-account-manager/lam.nginx.conf;
|
|
|
|
...
|
|
}</programlisting>
|
|
|
|
<para>The included config file uses PHP 5. In case you run with PHP 7
|
|
please update the parameter "fastcgi_pass" to
|
|
"/var/run/php7-fpm.sock".</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>DEB based installations</title>
|
|
|
|
<para>The LAM installation package ships with an Nginx configuration
|
|
file. Please include it in your server directive like this:</para>
|
|
|
|
<programlisting>server {
|
|
...
|
|
|
|
include /etc/ldap-account-manager/nginx.conf;
|
|
|
|
...
|
|
}</programlisting>
|
|
|
|
<para>The included config file uses PHP 7.0. In case you run with PHP
|
|
7.1 or PHP 5 please update the parameter "fastcgi_pass" to
|
|
"/var/run/php/php7.1-fpm.sock".</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>tar.bz2 based installations</title>
|
|
|
|
<para>Please add the following configuration snippet to your server
|
|
directive.</para>
|
|
|
|
<para>You will need to change the alias location
|
|
("/usr/share/ldap-account-manager") and fastcgi_pass (e.g.
|
|
"/var/run/php5-fpm.sock" or "/var/run/php7-fpm.sock") to match your
|
|
installation.</para>
|
|
|
|
<programlisting>location /lam {
|
|
index index.html;
|
|
alias /usr/share/ldap-account-manager;
|
|
autoindex off;
|
|
|
|
location ~ \.php$ {
|
|
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
|
fastcgi_pass unix:/var/run/php5-fpm.sock;
|
|
fastcgi_index index.php;
|
|
fastcgi_param SCRIPT_FILENAME $request_filename;
|
|
include fastcgi_params;
|
|
}
|
|
|
|
location ~ /lam/(tmp/internal|sess|config|lib|help|locale) {
|
|
deny all;
|
|
return 403;
|
|
}
|
|
|
|
}
|
|
</programlisting>
|
|
</section>
|
|
</section>
|
|
</appendix>
|