12. Security advisories

12.1. Locked Users

When a user is locked in the user store this information is not passed to LinOTP, as each user store uses other means to lock a user. I.e. if you lock a user in Active Directory LinOTP will still authenticate this user successfully, when he provides the correct OTP value. If you also need to lock the user in LinOTP, you may lock all tokens of this user to disable his access.

12.2. UserIdResolver

The UserIdResolvers are used by the LinOTP Server to find the user object for a given login name. The user stores are configured on the LinOTP Server. You can change this configuration with the LinOTP Management Client. Technically the client communicates with the LinOTP Server via HTTP and the URL path /system/getConfig and /system/setConfig. Although the data is stored encrypted in the database, in the current version the passwords for the LDAP Bind and the SQL user are transferred in plain text between the LinOTP Management Client and the LinOTP server. So assure, that

  • you are using HTTPS,
  • you are restricting access to the /system/ interface via the apache config
  • you use an LDAP Bind that has only read access!