User manual NOVELL IFOLDER 3.X SECURITY ADMINISTRATOR GUIDE 08-15-2006

[. . . ] Novell iFolder 3. x Security Administrator Guide novdocx (ENU) 01 February 2006 Novell ® iFolder 3. x SECURITY ADMINISTRATOR GUIDE August 15, 2006 www. novell. com novdocx (ENU) 01 February 2006 Legal Notices Novell, Inc. , makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. , reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. Further, Novell, Inc. , makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. , reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes. [. . . ] The proxy user password is stored briefly in the /opt/novell/ifolder3/etc/simiasserver-bootstrap. config on the iFolder server after configuring the iFolder enterprise server and before the iFolder service is started for the first time. The restart of Apache is forced at the end of the configuration process, which starts the iFolder service. During the initial startup, the iFolder process reads the simias-server-bootstrap. config file, stores the password in reversible encrypted format in the server's Simias database, and then removes the password from the file. For information, see "Admin User Considerations" in the Novell iFolder 3. x Administration Guide. For information about modifying the password, see the iFolder Proxy User setting in "Modifying the iFolder LDAP Settings" in the Novell iFolder 3. x Administration Guide. 2. 12 Securing the iFolder Proxy User Password The iFolder Proxy user's password is used to authenticate the iFolder Proxy user to the LDAP server when iFolder synchronizes users for the iFolder user list. When you initially configure the iFolder enterprise server in YaST, iFolder autogenerates a password for the iFolder proxy user, using the BASH random number generator for a number between 0 and 10, 000. Initially, the password for the iFolder Proxy user is stored in clear text in the /opt/novell/ifolder3/etc/simias-server-bootstrap. config file. At the end of the configuration process, the system reboots Apache 2 and starts iFolder. When iFolder runs this first time after configuration, the iFolder process copies the simias-server-bootstrap. config file to the Simias. config file. The default location of the Simias. config file is /var/lib/wwwrun/ . local/share/simias directory or the /home/wwwrun/. local/share/simias directory. The proxy user password is stored in a reversible encrypted form in the Simias database, then the value is removed from both configuration files. 14 Novell iFolder 3. x Security Administrator Guide novdocx (ENU) 01 February 2006 The password stored on the system for the iFolder Proxy user must match the password stored in the iFolder Proxy user's eDirectoryTM object. If you ever modify the iFolder Proxy user password in eDirectory, you must also change the password stored on the system. For example, if you change the iFolder Proxy user assignment, or if you want to set a longer password for the iFolder Proxy user, you must modify the values in iFolder's LDAP settings or iFolder cannot access the LDAP server to update the user list. For information, see "Modifying the iFolder Proxy User Password" in the Novell iFolder 3. x Administration Guide. To prevent unauthorized access to the Simias. config file, administrators of the iFolder 3. x server computer must use every precaution to not inadvertently assign file system rights to the /var/ lib/wwwrun/. local/share/simias directory or the /home/wwwrun/. local/ share/simias directory to unauthorized users. To protect the password when authenticating to the LDAP server, make sure to configure the LDAP Server Port and Port Is Secure options in the iFolder LDAP settings for secure (default) communications between the servers and the LDAP server. For information, see "Modifying the iFolder LDAP Settings" in the Novell iFolder 3. x Administration Guide. 2. 13 Using Synchronize Now to Remove Users Effective Immediately The iFolder User list is periodically updated based on the LDAP synchronization interval. Whenever you remove users from a LDAP Search DN, or remove contexts from the Search DN list, you should synchronize the list immediately using Update and Synchronize now to enforce your changes. For information, see "Synchronizing the iFolder User List with the LDAP Server" in the Novell iFolder 3. x Administration Guide. 2. 14 Controlling Access to the iFolder Data Store The iFolder server stores the database and user files under the /var/opt/novell/ifolder3/ simias directory. By default, the Apache Server user "wwwrun" owns those files. Administrators of the iFolder 3. x server machine must use every precaution to not inadvertently assign rights to unauthorized users. 2. 15 Controlling Access to the iFolder Server Configuration Files The iFolder server stores the configuration files in the /var/lib/wwwrun/. local/share/ simias directory (or in the /home/wwwrun/. local/share/simias directory if NSS is post-installed on the server). The Apache Server user "wwwrun" owns the configuration file. [. . . ] For information, see Section 4. 3, "Securing Communications with a VPN If SSL Is Disabled, " on page 21. · Survey the interference and jamming likelihood for a planned wireless LAN before it is installed. · Change the default manufacturer's password for your wireless access points, gateways, or routers. · Limit, as much as is possible, who can attach to a wireless network. [. . . ]