Configuration can be stored in several formats (SQL, File, LDAP) but must be shared over the network if you use more than 1 server. If some of your servers are not in the same (secured) network than the database, it is recommended to use SOAP access for those servers.
Tip
You can use different type of access: SQL, File or LDAP for servers in secured network and SOAP for remote servers.
Next, you have to configure the SOAP access as described here since SOAP access is denied by default.
By default, the manager is restricted to the user ‘dwho’ (default backend is Demo). To protect the manager, you have to choose one or both of :
You can use any of the mechanisms proposed by Apache: SSL, Auth-Basic, Kerberos,… Example
<VirtualHost *:443>
ServerName manager.example.com
# SSL parameters
...
# DocumentRoot
DocumentRoot /var/lib/lemonldap-ng/manager/
<Location />
AuthType Basic
AuthName "Lemonldap::NG manager"
AuthUserFile /usr/local/apache/passwd/passwords
Require user rbowen
Order allow,deny
Deny from all
Allow from 192.168.142.0/24
Options +ExecCGI
</Location>
</VirtualHost>
To protect the manager by LL::NG, you just have to set this in
lemonldap-ng.ini
configuration file (section [manager]):
[manager]
protection = manager
Attention
Before, you have to create the virtual host
manager.your.domain
in the manager and set a
rule, else access to the manager will
be denied.
LLNG portal now embeds the following features:
Attention
*
.Rules are applied in alphabetical order (comment and regular expression). The first matching rule is applied.
Attention
The “default” rule is only applied if no other rule matchs
The Manager let you define comments in rules, to order them:
For example, if these rules are used without comments:
Regular expression | Rule | Comment |
---|---|---|
^/pub/admin/ | $uid eq “root” | |
^/pub/ | accept |
Then the second rule will be applied first, so every authenticated user
will access to /pub/admin
directory.
Use comment to correct this:
Regular expression | Rule | Comment |
---|---|---|
^/pub/admin/ | $uid eq “root” | 1_admin |
^/pub/ | accept | 2_pub |
Tip
You can write rules matching any component of URL to protect including GET parameters, but be careful.
For example with this rule on the access
parameter:
Regular expression | Rule | Comment |
---|---|---|
^/index.php\?.*access=admin |
$groups =~ /\badmin\b/ |
|
default |
accept |
Then a user that try to access to one of the following will be granted !
/index.php?access=admin&access=other
/index.php?Access=admin
You can use the following rules instead:
Regular expression | Rule | Comment |
---|---|---|
^/(?i)index.php\?.*access.*access |
deny |
0_bad |
^/(?i)index.php\?.*access=admin |
$groups =~ /\badmin\b/ |
1_admin |
default |
accept |
Tip
(?i) means case no sensitive.
Danger
Remember that rules written on GET parameters must be tested.
Some characters are encoded in URLs by the browser (such as space,…). To avoid problems, LL::NG decode them using https://metacpan.org/pod/Apache2::URI#unescape_url. So write your rules using normal characters.
Danger
If you are running LemonLDAP::NG behind a reverse proxy,
make sure you check the
Reverse Proxy how-to so that the rule
applies to the real user IP and not the reverse proxy’s IP. Make sure
you only specify trusted proxy addresses so that an attacker cannot
forge the X-Forwarded-For
header
LL::NG can protect any Apache hosted application including Apache reverse-proxy mechanism. Example:
PerlOptions +GlobalRequest
PerlRequire /var/lib/lemonldap-ng/handler/MyHandler.pm
<VirtualHost *:443>
SSLEngine On
... other SSL parameters ...
PerlInitHandler My::Handler
ServerName appl1.example.com
ProxyPass / http://hiddenappl1.example.com/
ProxyPassReverse / http://hiddenappl1.example.com/
ProxyPassReverseCookieDomain / http://hiddenappl1.example.com/
</VirtualHost>
See mod_proxy and mod_rewrite documentation for more about configuring Apache reverse-proxies.
Such configuration can have some security problems:
It is recommended to secure the channel between reverse-proxies and application to be sure that only request coming from the LL::NG protected reverse-proxies are allowed. You can use one or a combination of:
Go in Manager, General parameters
» Advanced parameters
»
Security
:
myapp.example.com .subdomain.example.com
*
allows redirections to any external domain (DANGEROUS)verify_hostname => 0
, SSL_verify_mode => 0
formAction
value with wildcard likes *.Access-Control-Allow-Origin
value with ‘ ‘.Attention
If URLs are protected with AuthBasic handler, you have to disable CSRF token by setting a special rule based on callers IP address like this :
requireToken => $env->{REMOTE_ADDR} && $env->{REMOTE_ADDR} !~ /^127.0.[1-3].1$/
Danger
Enable global storage for one time tokens will downgrade Portal performance!!!
Must ONLY be used with outdated or low performance Load Balancer.
To prevent brute force attack with fail2ban
Edit /etc/fail2ban/jail.conf
[lemonldap-ng]
enabled = true
port = http,https
filter = lemonldap
action = iptables-multiport[name=lemonldap, port="http,https"]
logpath = /var/log/apache*/error*.log
maxretry = 3
and edit /etc/fail2ban/filter.d/lemonldap.conf
# Fail2Ban configuration file
#
# Author: Adrien Beudin
#
# $Revision: 2 $
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failure messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = Lemonldap\:\:NG \: .* was not found in LDAP directory \(<HOST>\)
Lemonldap\:\:NG \: Bad password for .* \(<HOST>\)
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
Restart fail2ban
You can change the module used for sessions identifier generation. To
do, add generateModule
key in the configured session backend
options.
We recommend to use :
Lemonldap::NG::Common::Apache::Session::Generate::SHA256
.