From Limbas Wiki
<-- backt to Main Page
Limbas always needs a valid authentication. Anonyms or guest user without authentication are not supported. Authentication is done by the BASIC-Auth of the Apache Server. In order to code the authentication it is always advisable to use only SSL connections.
Alternativly an external LDAP authentication can be used. Thereby user are automatically created in Limbas and allocated to the appropriated group. Thereby only those groups are included which have names are equal in LIMBAS and in LDAP. If the group membership changes in LDAP it will be updated whith the next log-in in LIMBAS. If a user is deleted in LDAP it is not automatically deleted in LIMBAS. On the other hand a sign in is not possible any more. An exception is the user 'admin'. This user is always authentication by the LIMBAS System and not by LDAP.
You can change LDAP parameters in umgvars
- header_auth client browser authentication (basic/digest)
- server_auth server authentication method (intern/LDAP)
- LDAP_domain a valid LDAP or domain server
- LDAP_baseDn the base dn for your domain
- LDAP_accountSuffix the full account suffix for your domain
After a succesful authentication a PHP session is created which is valid as long as the browser is open or as long as the server settings permit. An explicit log out is not necessary.
For the minimum of security it is necessary to activate the delivered “.htaccess.demo” in the directory ./dependent/ (change the name to “.htaccess”) or transfer the content into the httpd.conf. In principle, all files except those defined ar not allowed to be executed.
All files in the directory ./UPLOAD/ are renamed with an md5.
For user reads the directory is protected with an “htaccess” file. A temporary symbol link is provided in the appropriate sub index for down loading files.
order deny,allow deny from all
When creating a User, all User-directories are protected with a generated “htaccess/.htpasswrd” file. This file is newly generated every time the password is changed. The automatic generation of the “.htaccess” files of all User-directories via the Limbas admin-Tool (tools->system) can only take place if the Option “clear_pass” in the Umgvars is activated. This option is nevertheless only to be recommended for advanced administrators.
The entire source code should only be read-only. The Apache user must have the following directories recursively:
Additionally, the directory ./admin/ can only be activated for local users. Also, an “htaccess” file can be placed in admin directory which only allows access for defined IP addresses.
order deny,allow deny from all allow from 192.168
In general, PHP should have the following settings:
- register_globals = off
- magic_quotes_gpc = off
The maximum upload size should be configured as follows:
- file_uploads = On
- upload_max_filesize = 10M
- post_max_size = 16M
The maximum amount of memory used by PHP should not be limitated too much as for example the PDF generator and bigger table outputs need sufficient memory.
- memory_limit = 128M
A new PHP setting is the maximum number of POST form elements which by default can easily be exceeded by Limbas if there are many tables with many fields.
- max_input_vars = 10000
Long texts are read in odbc with a predefined size. If this size is too small, text blocks may be truncated. Is it too big suffers the performance. Depending on the usage, you should adjust the value to your own needs and slowly approach the required value.
- odbc.defaultlrl = 104857