Safe exposing of reset-password site

[Sblop]

Hi All,

I do not feel confident in exposing the main lldap site, as this is the backbone in my auth flow, using authelia with oauth etc. I do however need my users being able to access the reset password feature. The lldap is currently on availabe for the admins.

I initially tried blocking all of lldap-ish.domain.tdl except lldap-ish.domain.tdl/reset-password, howvever several recourses are loaded from the root /.

After going through the loaded resources, I have exposed below, without any auth.

(Snip from Authelia config)

      resources:
      - "^/reset-password([/?].*)?$"
      - "^/static([/?].*)?$"
      - "^/pkg/lldap_app([/?].*)?$"
      - "^/auth/reset/step1([/?].*)?$"

I cannot however figure out if this is safe. I do not like exposing ANY of lldap, however as I need to, I like a second opinion on what to expose. I wish to obviously expose as little as possible, however the reset password functionality is quire essential.

Thanks in advance.

/Benjamin

[nitnelave]

Hey! It should be fairly safe to expose LLDAP to the internet. Now, I understand that this is not much reassurance if you're cautious.

I see a few ways to only expose the necessary functionality:

• block all but the necessary resources, as you did. It works now, and your list looks good, but that's not exactly an intended use case so I can't guarantee that it'll keep working. You might end up with half broken features because we added a new query.
• block all post requests except to the reset password flow. In particular, if you block the login, it'll be hard for anyone to find a security flaw. If you allow the login, then users can see their own account.
• block the entire website and provide password resets through LDAP with a third-party website. In particular, I believe authelia can do password resets? Not 100% sure about that.

[jakob42]

Authelia can do password reset (I'm using it against a samba PDC). (But is it really safer than lldap?)

@Sblop I don't know how big your setup is. But if it doesn't need to be fully automated you could just put basic auth in front of your lldap backend from externally and hand out the password for the seldom password reset.

Personally I feel like lldap is safe enough to be accessible from the internet. There are services I host for myself and friends I have much less faith in.

[nitnelave]

Putting basic auth in front of a password reset form would be kinda missing the point :D

[Sblop]

Hi Nitnelave, Thanks for your incredible quick answer. Okay, I did not do my homework good enough... Yes, it turns out that Authelia is able to change the lldap password, thus no need to expose lldap to the internet.
Reason I do not like to expose lldap is lack of 2 factor auth on the admin users. - I like keepling lldap basically only backend.

Again thanks for your quick replies. :-)

Just for reference, the authelia configuration is dead simple:

authentication_backend:
  refresh_interval: '5m'
  password_reset:
    disable: false

As long as the ldap connection is set, it just works, as long as the password reset has not been disabled.

[jakob42]

@nitnelave: Sure, in a big setup. But if its only for family and friends one could share that password on demand.

[nitnelave]

Ah, right a fixed "known" password, not an LDAP-based basic auth with your own password :D That makes sense!