1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
|
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Apache configuration</title><link rel="stylesheet" type="text/css" href="style.css"><meta name="generator" content="DocBook XSL Stylesheets V1.76.1"><link rel="home" href="index.html" title="LDAP Account Manager - Manual"><link rel="up" href="apb.html" title="AppendixB.Security"><link rel="prev" href="apbs05.html" title="Protection of your LDAP password and directory contents"><link rel="next" href="apc.html" title="AppendixC.Recommended OpenLDAP settings"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Apache configuration</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="apbs05.html">Prev</a></td><th width="60%" align="center">AppendixB.Security</th><td width="20%" align="right"><a accesskey="n" href="apc.html">Next</a></td></tr></table><hr></div><div class="section" title="Apache configuration"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="idp6141632"></a>Apache configuration</h2></div></div></div><div class="section" title="Sensitive directories"><div class="titlepage"><div><div><h3 class="title"><a name="idp6142272"></a>Sensitive directories</h3></div></div></div><p>LAM includes several .htaccess files to protect your
configuration files and temporary data. Apache is often configured to
not use .htaccess files by default. Therefore, please check your
Apache configuration and change the override setting to:</p><p>AllowOverride All</p><p>If you are experienced in configuring Apache then you can also
copy the security settings from the .htaccess files to your main
Apache configuration.</p><p>If possible, you should not rely on .htaccess files but also
move the config and sess directory to a place outside of your WWW
root. You can put a symbolic link in the LAM directory so that LAM
finds the configuration/session files.</p><p>Security sensitive directories:</p><p><span class="bold"><strong>config: </strong></span>Contains your LAM
configuration and account profiles</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>LAM configuration passwords (SSHA hashed)</p></li><li class="listitem"><p>default values for new accounts</p></li><li class="listitem"><p>directory must be accessibly by Apache but needs not to be
accessible by the browser</p></li></ul></div><p><span class="bold"><strong>sess:</strong></span> PHP session files</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>LAM admin password in clear text or MCrypt encrypted</p></li><li class="listitem"><p>cached LDAP entries in clear text or MCrypt encrypted</p></li><li class="listitem"><p>directory must be accessibly by Apache but needs not to be
accessible by the browser</p></li></ul></div><p><span class="bold"><strong>tmp:</strong></span> temporary files</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>PDF documents which may also include passwords</p></li><li class="listitem"><p>images of your users</p></li><li class="listitem"><p>directory contents must be accessible by browser but
directory itself needs not to be browseable</p></li></ul></div></div><div class="section" title="Use LDAP HTTP authentication for LAM"><div class="titlepage"><div><div><h3 class="title"><a name="apache_http_auth"></a>Use LDAP HTTP authentication for LAM</h3></div></div></div><p>With HTTP authentication Apache will be responsible to ask for
the user name and password. Both will then be forwarded to LAM which
will use it to access LDAP. This approach gives you more flexibility
to restrict the number of users that may access LAM (e.g. by requiring
group memberships).</p><p>First of all you need to load additional Apache modules. These
are "<a class="ulink" href="http://httpd.apache.org/docs/2.2/mod/mod_ldap.html" target="_top">mod_ldap</a>"
and "<a class="ulink" href="http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html" target="_top">mod_authnz_ldap</a>".</p><p>Next you can add a file called "lam_auth_ldap" to
/etc/apache/conf.d. This simple example restricts access to all URLs
beginning with "lam" to LDAP authentication.</p><pre class="programlisting"><location /lam>
AuthType Basic
AuthBasicProvider ldap
AuthName "LAM"
AuthLDAPURL "ldap://localhost:389/ou=People,dc=company,dc=com?uid"
Require valid-user
</location></pre><p>You can also require that your users belong to a certain Unix
group in LDAP:</p><pre class="programlisting"><location /lam>
AuthType Basic
AuthBasicProvider ldap
AuthName "LAM"
AuthLDAPURL "ldap://localhost:389/ou=People,dc=company,dc=com?uid"
Require valid-user
# force membership of lam-admins
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off
Require ldap-group cn=lam-admins,ou=group,dc=company,dc=com
</location></pre><p>Please see the <a class="ulink" href="http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html" target="_top">Apache
documentation</a> for more details.</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="apbs05.html">Prev</a></td><td width="20%" align="center"><a accesskey="u" href="apb.html">Up</a></td><td width="40%" align="right"><a accesskey="n" href="apc.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Protection of your LDAP password and directory contents</td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top">AppendixC.Recommended OpenLDAP settings</td></tr></table></div></body></html>
|
