Adams Samuel D Contr AFRL/HEDR wrote:
Yes. But how are they authenticating other than PAM? That is, if PAM is set to use TLS, how can they login through PAM without TLS?Basically I am trying to use FDS for LDAP authentication for centralized authentication on my Linux network and a need to make sure that it is secure. I figured that enabling TLS for authentication would be a good start. I read the Red Hat Directory Server administrator guide chapter on TLS and followed the howto at http://directory.fedora.redhat.com/wiki/Howto:SSL. It looks like I have TLS enabled because I can get my Linux clients using the OpenLDAP PAM module to authenticate with TLS enabled, but my LDAP server will alsolet them authenticate without TLS!If someone authenticates without TLS, does that mean that their login credentials are being passed in the clear?
I don't think you can. The startTLS operation requires the non-secure port. If you just want to use LDAPS (TLS without startTLS) then you can disable the non-secure port. Then all server traffic must be encrypted.How do I make the FDS to only allow TLS authentication?
My basic goal is to make this secure.Yes, you can disable access with ACIs by removing the anonymous search ACI. However, this may disable apps like PAM that first need to perform a search for the user's userid (e.g. at a login prompt). Some apps (like PAM) allow you to perform the search as a real user, so you can grant search access to only that user. You can also use SASL/Kerberos to avoid sending cleartext passwords over the wire.I also have two medium vulnerabilities the keep popping up with ISS that I need to resolve but can't seem to find the proper configuration in theadmin console." LDAP NullBind: LDAP anonymous access to directory The NULL bind entry allows a user to access the Lightweight Directory Access Protocol (LDAP) directory anonymously. An attacker could take advantage of the NULL bind entry to anonymously view files on the LDAP director. Remedy: Disable the NULL bind entry or control the entry with Access Control Lists (ACLs). References:"
Again, you can simply remove the anonymous search ACI on this entry, but this may break some applications that require anonymous access to query the schema.--and-- " LDAP Schema: LDAP schema information gathering An attacker could access the Lightweight Directory Access Protocol (LDAP) schema to gain information about the LDAP server. The LDAP server dumps its schema, which can show all necessary attributes needed for an object, including hidden or non-readable attributes. An attacker could use this information to access directory listings and plan further attacks. Remedy: Disable the cn=schema entry or allow only authorized users to view the entry. References:"
Any recommendations on any of these points would be helpful... Thanks, Sam Adams General Dynamics - Information Technology -- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
