Apache configuration

Sensitive directories

LAM includes several .htaccess files to protect your configuration files and temporary data. Apache is often configured to not use .htaccess files by default. Therefore, please check your Apache configuration and change the override setting to:

AllowOverride All

If you are experienced in configuring Apache then you can also copy the security settings from the .htaccess files to your main Apache configuration.

If possible, you should not rely on .htaccess files but also move the config and sess directory to a place outside of your WWW root. You can put a symbolic link in the LAM directory so that LAM finds the configuration/session files.

Security sensitive directories:

config: Contains your LAM configuration and account profiles

  • LAM configuration passwords (SSHA hashed)

  • default values for new accounts

  • directory must be accessibly by Apache but needs not to be accessible by the browser

sess: PHP session files

  • LAM admin password in clear text or MCrypt encrypted

  • cached LDAP entries in clear text or MCrypt encrypted

  • directory must be accessibly by Apache but needs not to be accessible by the browser

tmp: temporary files

  • PDF documents which may also include passwords

  • images of your users

  • directory contents must be accessible by browser but directory itself needs not to be browseable

Use LDAP HTTP authentication for LAM

With HTTP authentication Apache will be responsible to ask for the user name and password. Both will then be forwarded to LAM which will use it to access LDAP. This approach gives you more flexibility to restrict the number of users that may access LAM (e.g. by requiring group memberships).

First of all you need to load additional Apache modules. These are "mod_ldap" and "mod_authnz_ldap".

Next you can add a file called "lam_auth_ldap" to /etc/apache/conf.d. This simple example restricts access to all URLs beginning with "lam" to LDAP authentication.

<location /lam>
  AuthType Basic
  AuthBasicProvider ldap
  AuthName "LAM"
  AuthLDAPURL "ldap://localhost:389/ou=People,dc=company,dc=com?uid"
  Require valid-user
</location>

You can also require that your users belong to a certain Unix group in LDAP:

<location /lam>
  AuthType Basic
  AuthBasicProvider ldap
  AuthName "LAM"
  AuthLDAPURL "ldap://localhost:389/ou=People,dc=company,dc=com?uid"
  Require valid-user
  # force membership of lam-admins
  AuthLDAPGroupAttribute memberUid
  AuthLDAPGroupAttributeIsDN off
  Require ldap-group cn=lam-admins,ou=group,dc=company,dc=com
</location>

Please see the Apache documentation for more details.