Package Details: ldapauthmanager 1.4.0-1

Git Clone URL: https://aur.archlinux.org/ldapauthmanager.git (read-only, click to copy)
Package Base: ldapauthmanager
Description: An LDAP user manager and password self-service webaapp.
Upstream URL: https://projects.jethrocarr.com/p/oss-ldapauthmanager/
Licenses: AGPL
Submitter: alerque
Maintainer: alerque
Last Packager: alerque
Votes: 0
Popularity: 0.000000
First Submitted: 2014-03-12 21:31 (UTC)
Last Updated: 2020-09-25 09:58 (UTC)

Latest Comments

alerque commented on 2020-09-25 09:55 (UTC)

@micwoj92 The author seems to have shut down the website and is redirecting to the GitHub page. There is a deprecation notice there too. This could be fixed by downloading from Git sources and doing some monkey work to fix the version number inside the downloaded archive, but I'm not going to do that work. This project has massive security issues that were never fixed and now it seems clear they never will be. I'm going to orphan this package and may ever file a deletion request for it.

micwoj92 commented on 2020-09-16 00:49 (UTC)

==> Validating source files with md5sums... ldapauthmanager-1.4.0.tar.bz2 ... FAILED apache.conf ... Passed ==> ERROR: One or more files did not pass the validity check!

alerque commented on 2014-03-12 23:34 (UTC)

I just went through a lot of trouble to configure and install this on a server only to discover that it has a massive security flaw in it's basic design that _must_ be dealt with to even consider for use in a secure environment. The entire user auth system is re-inventing the wheel. Half the point of LDAP as a user account manager is being able to securely identify users and privileges. This app destroys that model by requiring the LDAP server to give up it's job in favor of doing it's own authentication and privilege enforcement. In order to make this happen it requires that the root-dn (or a dn with permission READ all user password fields) is hard coded in plain text into a config file that must be readable by the http daemon user! The only time having a password like this sitting on the disk would be remotely appropriate would be for a daemon that runs as root and could have it's config file set to 0600. For a web app that runs as httpd or www-data or whatever your http daemon runs as this is entirely unacceptable. Even if you 600 the file, it is still readable by any user on the system who can publish a website that gets served by the http daemon (or anybody why can inject code into any site anywhere on the server). This could be resolved by leaving authentication to LDAP and binding as the user that authenticates. An admin user could be given permission to manage other users via the proper ACL's ahead of time. A user could even be allowed to login as the rootdn, but hard coding that access in the config file is to undermine the entire security of your server. WARNING: TL;DR: use of this webapp in it's current form will bypass the normal security of an LDAP server installation and leave ALL your user accounts open to ANY user an the system and any hacker that can find even the simplest loophole in any other software on the system. Until this is fixed I strongly advise against the use of this software.