Clarifying REST session endpoint
Hi,
In the process of setting up the Auth Basic handler I had to activate the REST session endpoint, but I am not sure of how it works. Just to be clear, my set up works, but I have doubts about the security.
Context
My goal was to proxy an Auth Basic header to a part of a protected application, SOGo's dav interface in my case:
DAV client -[Auth Basic]-> lemonLDAP -[Remote-User]-> SOGo
Software versions
- OS: Debian buster
- LemonLDAP version: 2.0.6
- Perl version: 5.30.0
- Reverse proxy: Nginx v1.17.1
What I did
- Set
restSessionServer
to1
in the portal config. - Remove the
/index.psgi/config
block in the portal's nginx config.
What I should apparently have done
- Set
requireToken
to0
in the portal config.
My questions
- I can access
/sessions/global/[session-id]
when I am not connected. I understand that the session id is not guessable, but shouldn't it be protected likesession/my/global
? - I did set
requireToken
to0
, but the serve do not seems to block the request. Is it wanted ? -
/sessions/global
always returnresult: 1
even when the credentials are incorrect. Is it wanted ? - Lemon removes Authorization headers when the Auth Basic handler is used. Is it wanted ?
Thanks,
Louis