SurgeLDAP Security
SurgeLDAP has a number of ways to improve the security of your data. From limited user access to selected fields to limiting machines by IP and the number of connections each can do.
 
The following will describe what is available in SurgeLDAP.
 
Within the SurgeLDAP admin web interface you can see what connections are currently active and also list the 'IP Details' history about the modules. This is located in the 'IP Limiting' section of the 'Site Status'.
Limiting Access By IP
SurgeLDAP supports the ability to limit protocol connections from selected IP addresses. You can, not only limit IP connections via LDAP protocol but each seperate protocol with a different range of IP addresses.
 
Within your surgeldap.ini file will be lines like this:
 
#module manager all 6626 3600 2 manager 127.0.0.1
module ldap all 389 3600 50 main 127.0.0.1,10.0.0.*,192.168.1.*,192.168.0.*
module http all 6680 3600 50 web

The above settings are the SurgeLDAP v1.0k default settings, Which allowing the most common local area network IP addresses. If no IP address are provided then all connections will be accepted.
 
You should setup the IP limits depending on who you wish to provide access. We suggest limiting this to as small trusted group of computers.
Limiting Usage by IP
SurgeLDAP supports the ability to limit protocol connections by IP on how they are used. Where you can:
 
1. Limit Concurrent Connections per ip.
2. Setting to 'ignore' requests if they excceed a certain rate per ip per time.
3. Password Guessing is limited (limit guesses per ip per time).
4. Selected IP's ignore this feature (allow_ip).

Within your surgeldap.ini file will be lines like this:
 
# -----------------------------------------------------------------------------
# Module Security
# ---------------
# SurgeLDAP Supports 
#	1) Limit Concurrent Connections per ip.
#	2) Setting to 'ignore' requests if they excceed a certain rate per 
#          ip per time.
#	3) Password Guessing is limited (limit guesses per ip per time)
#       4) Selected IP's ignore this feature (allow_ip)
#
# max_ip_connection mod_id number
# max_ip_rate mod_id number timeframe blocktime
# max_pass_guess mod_id number timeframe blocktime
#
# mod_id = This is the Module ID. (ie main or web)
# timeframe = in seconds
# blocktime = in seconds - All connections from this IP for this 
#                          time are refused.

allow_ip 127.0.0.1,10.0.0.*,192.168.1.*,192.168.0.*

max_ip_connection main 10
max_ip_rate main 50 30 30
max_pass_guess main 3 30 60

# Web Connections also include images downloads
max_ip_connection web 100
#max_ip_rate web 20 60 60
max_pass_guess web 3 60 60

The above settings are the SurgeLDAP v1.0k default settings. The most common local area network IP addresses are setup to bypass these checks so that if you setup apps within the local area network they will not be refused connections for any reason.
 
You can setup seperate rules for each protocol that you setup within SurgeLDAP. In the above example the 'main' ldap server and 'web' server are setup seperately.
 
You can setup mutiple seperate LDAP ports (143, 1143, 2143, ..etc.) each having their own limits, if desired.
Limiting Selected Fields
SurgeLDAP allows you to set fields to have security levels. These security levels rate from 0 (everyone) to 20 (SurgeLDAP admin only).
 
This security level is setup within the schema files themselves, where the default is to allow everyone access is not defined.
 
SurgeLDAP schemas which are setup by default have 4 levels which are setup.
 
8 - All of SurgeMail/SurgeFTP/SurgeNews extended Fields.
10 - User Passwords
(userPassword, pass_answer)
12 - System Settings
(createTimestamp, modifyTimestamp, creatorsName, modifiersName)
20 - SurgeLDAP Admin Only
(Credit Card Details)

The above is just a guide, and you can change these if you wish by changing the schema files. THe schema file example of this is:
 
# All passwords in SurgeLDAP can be encoded
#userPassword = string(128),MATCH-CASE,HIDDEN10
userPassword = string(128),MATCH-CASE,HIDDEN10,CODED_SSHA
#userPassword = string(128),MATCH-CASE,HIDDEN10,CODED_SHA
#userPassword = string(128),MATCH-CASE,HIDDEN10,CODED_CRYPT
#userPassword = string(128),MATCH-CASE,HIDDEN10,CODED_MD5

The 'HIDDENx' tag determines the security level of this field.
 
If you wish to setup a user/pass login to SurgeLDAP to allow access to a selected security level you will need to edit the SurgeLDAP 'user.dat' file, to include the 'Hiddenx' level you wish the user to have access to. An example of the user.dat file is:
 
# Manager Login
manager::*:ALL,HIDDEN20,ADMIN
cn=manager,dc=example,dc=com::*:ALL,HIDDEN20,ADMIN

# My User Login
lynden::*:ALL,HIDDEN10
cn=lynden,dc=example,dc=com::*:ALL,HIDDEN8

In this case the 'manager' as full access, but 'lynden' has only access to level 8, which is just just the main surgemail/surgeftp/surgenews settings. But is not allowed access to the users passwords.
Encoding Passwords
SurgeLDAP allows you to setup the encoding method to be used to store passwords with the LDAP server.
 
SurgeLDAP supports 4 encoding methods as well as clear text passwords.
 
1. SSHA.
2. SHA.
3. Unix Crypt.
4. MD5.
5. Clear Text.

The default schemas are setup to use SSHA encoding. To change this you will need to change the schema files. The example of this is:
 
# All passwords in SurgeLDAP can be encoded
#userPassword = string(128),MATCH-CASE,HIDDEN10
userPassword = string(128),MATCH-CASE,HIDDEN10,CODED_SSHA
#userPassword = string(128),MATCH-CASE,HIDDEN10,CODED_SHA
#userPassword = string(128),MATCH-CASE,HIDDEN10,CODED_CRYPT
#userPassword = string(128),MATCH-CASE,HIDDEN10,CODED_MD5

All you need to do is uncomment out the encoding method you would like to use and comment out the SSHA encoding method. Passwords which have already been encoded will not change their encoded unless set again.
 
Not only can you encode passwords you can encode any field on your choosing, where decoding back to the orginal is not required.
 
We suggest that you do not use clear text passwords unless you have applications which requires this.