Security#
This section contains guidelines to enforce security on a typical Carbonio installation.
Securing LDAP#
LDAP passwords used by Carbonio use by default the SHA-512 algorithm. While this algorithm is secure and there exist no know vulnerabilities, some institution may require some more secure algorithm.
Since version 23.4.0, Carbonio supports the storage of LDAP password using the Argon2 algorithm.
SHA-512 remains the default on Carbonio installation, but it is possible to allow the the new algorithm by means of a simple procedure in two steps.
Before starting the procedure, however, it is suggested to make a dump
of the LDAP database, using the command (as the zextras user)
zextras$ /opt/zextras/libexec/zmslapcat /tmp
Note
The dump will be saved in the /tmp/ directory, so
make sure to copy it to a safe location.
The first step of the procedure is up to the administrator and
requires to run as the zextras user the following script, which
enables the new Argon2 algorithm
zextras$ /opt/zextras/libexec/scripts/migrate20230217-AddArgon2.pl
Once the script has successfully completed, Argon2 will be used as default for new passwords. From now on, passwords of all new LDAP accounts will be stored using Argon2. Existing password, however, will still use SHA-512.
The second step, indeed, is up to the users: the password of each user will be stored using Argon2 only as soon as they change it.
Hint
The Administrator can force a user to change password from the Carbonio Admin Panel by enabling option This user must change password, that appears in tab General when editing a user under . See section Accounts for details.