Rules Related To 'openldap'

Enable the LDAP Client For Use in Authconfig

Description

To determine if LDAP is being used for authentication, use the following command:

$ sudo grep -i useldapauth /etc/sysconfig/authconfig

If USELDAPAUTH=yes, then LDAP is being used. If not, set USELDAPAUTH to yes.

Rationale

Without cryptographic integrity protections, information can be altered by unauthorized users without detection. The ssl directive specifies whether to use TLS or not. If not specified it will default to no. It should be set to start_tls rather than doing LDAP over SSL.

Configure LDAP Client to Use TLS For All Transactions

Description

This check verifies cryptography has been implemented to protect the integrity of remote LDAP authentication sessions.

To determine if LDAP is being used for authentication, use the following command:

$ sudo grep -i useldapauth /etc/sysconfig/authconfig

If USELDAPAUTH=yes, then LDAP is being used. To check if LDAP is configured to use TLS, use the following command:

$ sudo grep -i ssl /etc/pam_ldap.conf

Rationale

Without cryptographic integrity protections, information can be altered by unauthorized users without detection. The ssl directive specifies whether to use TLS or not. If not specified it will default to no. It should be set to start_tls rather than doing LDAP over SSL.

Configure Certificate Directives for LDAP Use of TLS

Description

Ensure a copy of a trusted CA certificate has been placed in the file /etc/pki/tls/CA/cacert.pem. Configure LDAP to enforce TLS use and to trust certificates signed by that CA. First, edit the file /etc/nslcd.conf, and add or correct either of the following lines:

tls_cacertdir /etc/pki/tls/CA

or

tls_cacertfile /etc/pki/tls/CA/cacert.pem

Then review the LDAP server and ensure TLS has been configured.

Rationale

The tls_cacertdir or tls_cacertfile directives are required when tls_checkpeer is configured (which is the default for openldap versions 2.1 and up). These directives define the path to the trust certificates signed by the site CA.

Uninstall 389-ds-base Package

Description

The 389-ds-base RPM is not installed by default on a Red Hat Enterprise Linux 10 system. It is needed only by the 389-ds server, not by the clients which use LDAP for authentication. If the system is not intended for use as an LDAP Server it should be removed.

Rationale

Unnecessary packages should not be installed to decrease the attack surface of the system. While this software is clearly essential on an LDAP server, it is not necessary on typical desktop or workstation systems.

Ensure LDAP client is not installed

Description

The Lightweight Directory Access Protocol (LDAP) is a service that provides a method for looking up information from a central database. The openldap-clients package can be removed with the following command:

$ sudo dnf erase openldap-clients

Rationale

If the system does not need to act as an LDAP client, it is recommended that the software is removed to reduce the potential attack surface.

Uninstall openldap-servers Package

Description

The openldap-servers package is not installed by default on a Red Hat Enterprise Linux 10 system. It is needed only by the OpenLDAP server, not by the clients which use LDAP for authentication. If the system is not intended for use as an LDAP Server it should be removed.

Rationale

Unnecessary packages should not be installed to decrease the attack surface of the system. While this software is clearly essential on an LDAP server, it is not necessary on typical desktop or workstation systems.

Disable LDAP Server (slapd)

Description

The Lightweight Directory Access Protocol (LDAP) is a service that provides a method for looking up information from a central database.

Rationale

If the system will not need to act as an LDAP server, it is recommended that the software be disabled to reduce the potential attack surface.