TLS authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Basically I am trying to use FDS for LDAP authentication for centralized
authentication on my Linux network and a need to make sure that it is
secure.  I figured that enabling TLS for authentication would be a good
start.  I read the Red Hat Directory Server administrator guide chapter
on TLS and followed the howto at
http://directory.fedora.redhat.com/wiki/Howto:SSL.  It looks like I have
TLS enabled because I can get my Linux clients using the OpenLDAP PAM
module to authenticate with TLS enabled, but my LDAP server will also
let them authenticate without TLS!  

If someone authenticates without TLS, does that mean that their login
credentials are being passed in the clear?  

How do I make the FDS to only allow TLS authentication?

My basic goal is to make this secure.  

I also have two medium vulnerabilities the keep popping up with ISS that
I need to resolve but can't seem to find the proper configuration in the
admin console. 

" LDAP NullBind: LDAP anonymous access to directory

The NULL bind entry allows a user to access the Lightweight Directory
Access Protocol (LDAP) directory anonymously. An attacker could take
advantage of the NULL bind entry to anonymously view files on the LDAP
director.
Remedy:
Disable the NULL bind entry or control the entry with Access Control
Lists (ACLs).
References:"

--and--

" LDAP Schema: LDAP schema information gathering

An attacker could access the Lightweight Directory Access Protocol
(LDAP) schema to gain information about the LDAP server. The LDAP server
dumps its schema, which can show all necessary attributes needed for an
object, including hidden or non-readable attributes. An attacker could
use this information to access directory listings and plan further
attacks.
Remedy:
Disable the cn=schema entry or allow only authorized users to view the
entry.
References:"

Any recommendations on any of these points would be helpful...  Thanks,

Sam Adams
General Dynamics - Information Technology




[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux