To determine if LDAP is being used for authentication, use the following command:
$ sudo grep -i useldapauth /etc/sysconfig/authconfig
Without cryptographic integrity protections, information can be altered by unauthorized users without detection. The ssl directive specifies whether to use TLS or not. If not specified it will default to no. It should be set to start_tls rather than doing LDAP over SSL.
This check verifies cryptography has been implemented
to protect the integrity of remote LDAP authentication sessions.
To determine if LDAP is being used for authentication, use the following
command:
$ sudo grep -i useldapauth /etc/sysconfig/authconfig
$ sudo grep -i ssl /etc/pam_ldap.conf
Without cryptographic integrity protections, information can be altered by unauthorized users without detection. The ssl directive specifies whether to use TLS or not. If not specified it will default to no. It should be set to start_tls rather than doing LDAP over SSL.
Ensure a copy of a trusted CA certificate has been placed in the file /etc/pki/tls/CA/cacert.pem. Configure LDAP to enforce TLS use and to trust certificates signed by that CA. First, edit the file /etc/nslcd.conf, and add or correct either of the following lines:
tls_cacertdir /etc/pki/tls/CAor
tls_cacertfile /etc/pki/tls/CA/cacert.pemThen review the LDAP server and ensure TLS has been configured.
The tls_cacertdir or tls_cacertfile directives are required when tls_checkpeer is configured (which is the default for openldap versions 2.1 and up). These directives define the path to the trust certificates signed by the site CA.
The 389-ds-base RPM is not installed by default on a Fedora system. It is needed only by the 389-ds server, not by the clients which use LDAP for authentication. If the system is not intended for use as an LDAP Server it should be removed.
Unnecessary packages should not be installed to decrease the attack surface of the system. While this software is clearly essential on an LDAP server, it is not necessary on typical desktop or workstation systems.
The Lightweight Directory Access Protocol (LDAP) is a service that provides
a method for looking up information from a central database.
The openldap-clients
package can be removed with the following command:
$ sudo dnf remove openldap-clients
If the system does not need to act as an LDAP client, it is recommended that the software is removed to reduce the potential attack surface.
The openldap-servers package is not installed by default on a Fedora system. It is needed only by the OpenLDAP server, not by the clients which use LDAP for authentication. If the system is not intended for use as an LDAP Server it should be removed.
Unnecessary packages should not be installed to decrease the attack surface of the system. While this software is clearly essential on an LDAP server, it is not necessary on typical desktop or workstation systems.
The Lightweight Directory Access Protocol (LDAP) is a service that provides a method for looking up information from a central database.
If the system will not need to act as an LDAP server, it is recommended that the software be disabled to reduce the potential attack surface.