Basically I am trying to use FDS for LDAP authentication for centralized authentication on my Linux network and a need to make sure that it is secure. I figured that enabling TLS for authentication would be a good start. I read the Red Hat Directory Server administrator guide chapter on TLS and followed the howto at http://directory.fedora.redhat.com/wiki/Howto:SSL. It looks like I have TLS enabled because I can get my Linux clients using the OpenLDAP PAM module to authenticate with TLS enabled, but my LDAP server will also let them authenticate without TLS! If someone authenticates without TLS, does that mean that their login credentials are being passed in the clear? How do I make the FDS to only allow TLS authentication? My basic goal is to make this secure. I also have two medium vulnerabilities the keep popping up with ISS that I need to resolve but can't seem to find the proper configuration in the admin console. " LDAP NullBind: LDAP anonymous access to directory The NULL bind entry allows a user to access the Lightweight Directory Access Protocol (LDAP) directory anonymously. An attacker could take advantage of the NULL bind entry to anonymously view files on the LDAP director. Remedy: Disable the NULL bind entry or control the entry with Access Control Lists (ACLs). References:" --and-- " LDAP Schema: LDAP schema information gathering An attacker could access the Lightweight Directory Access Protocol (LDAP) schema to gain information about the LDAP server. The LDAP server dumps its schema, which can show all necessary attributes needed for an object, including hidden or non-readable attributes. An attacker could use this information to access directory listings and plan further attacks. Remedy: Disable the cn=schema entry or allow only authorized users to view the entry. References:" Any recommendations on any of these points would be helpful... Thanks, Sam Adams General Dynamics - Information Technology
