[Summary view] [Print] [Text view]

   1  Some notes about security
   2  -------------------------
   3  
   4  YALA aims to be as secure as possible, and was initially designed with security in
   5  mind; However, I (the author) do not 100% trust it, which means that you should
   6  trust it even less (unless you read its code, then we're equal).
   7  
   8  REMEMBER that YALA opens a big new window to your LDAP: the web.
   9  When you block LDAP ports by firewall but leave YALA accessible to the big evil 
  10  Internet, you've gained nothing.
  11  
  12  I'd suggest the following steps to increase security:
  13  1. Use web-based authentication mechanism on YALA's directory. If you're using
  14  apache like the rest of the world, you can check out htaccess.example,
  15  htpasswd.example.
  16  
  17  2. Configure your firewall to allow access to your web server only from allowed
  18  hosts, if possible.
  19  
  20  3. Don't give anonyomous user permissions to read (I don't even mention write)
  21  from your LDAP server, if possible. I've found some YALAs accessible from
  22  the internet, clicked 'anonymous login', and viola.. I've got nice info.
  23  
  24  4. Find security holes and lemme know =)
  25