Notice: Undefined variable: name in /srv/http/vhosts/aur-dev.archlinux.org/public/web/lib/pkgfuncs.inc.php on line 248

Package Details: ldapauthmanager 1.4.0-1

Git Clone URL: https://aur-dev.archlinux.org/ldapauthmanager.git (read-only)
Package Base: ldapauthmanager
Description: An LDAP user manager and password self-service webaapp.
Upstream URL: https://projects.jethrocarr.com/p/oss-ldapauthmanager/
Licenses: AGPL
Submitter: caleb
Maintainer: caleb
Last Packager: caleb
Votes: 0
Popularity: 0.000000
First Submitted: 2014-03-12 21:31
Last Updated: 2015-06-13 11:21

Latest Comments

caleb commented on 2014-03-12 23:34

I just went through a lot of trouble to configure and install this on a server only to discover that it has a massive security flaw in it's basic design that _must_ be dealt with to even consider for use in a secure environment.

The entire user auth system is re-inventing the wheel. Half the point of LDAP as a user account manager is being able to securely identify users and privileges. This app destroys that model by requiring the LDAP server to give up it's job in favor of doing it's own authentication and privilege enforcement.

In order to make this happen it requires that the root-dn (or a dn with permission READ all user password fields) is hard coded in plain text into a config file that must be readable by the http daemon user! The only time having a password like this sitting on the disk would be remotely appropriate would be for a daemon that runs as root and could have it's config file set to 0600. For a web app that runs as httpd or www-data or whatever your http daemon runs as this is entirely unacceptable. Even if you 600 the file, it is still readable by any user on the system who can publish a website that gets served by the http daemon (or anybody why can inject code into any site anywhere on the server).

This could be resolved by leaving authentication to LDAP and binding as the user that authenticates. An admin user could be given permission to manage other users via the proper ACL's ahead of time. A user could even be allowed to login as the rootdn, but hard coding that access in the config file is to undermine the entire security of your server.

WARNING:

TL;DR: use of this webapp in it's current form will bypass the normal security of an LDAP server installation and leave ALL your user accounts open to ANY user an the system and any hacker that can find even the simplest loophole in any other software on the system.

Until this is fixed I strongly advise against the use of this software.