2.10 Ensuring Privilege Separation for the iFolder Proxy User

The iFolder Proxy user is a proxy user identity used to access the LDAP server to retrieve a list of authorized users. The proxy user is automatically created during the iFolder enterprise server configuration. The username is predetermined (hard-coded) on the system. For most deployments, this username should never change.

Make sure that the user account assigned as the iFolder Proxy user is different than the one used for the iFolder Admin user and other system users. Separating the proxy user from the administrator provides privilege separation.

The proxy user password is auto-generated and stored briefly in the /<data path>/simias/.simias.ppf file of the iFolder server. This file is created during the configuration of the iFolder enterprise server and is removed when the server starts for the first time. A restart of Apache is forced at the end of the configuration process, which in turn starts the iFolder service. During the initial startup, the iFolder process reads the file, stores and encrypts the password by using the public key of the iFolder server in the server’s Simias database, and then removes the password from the file.