UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

If the system is using LDAP for authentication or account information, the LDAP TLS connection must require the server provide a certificate and this certificate has a valid trust path to a trusted CA.


Overview

Finding ID Version Rule ID IA Controls Severity
V-22557 GEN008020 SV-38966r1_rule DCNR-1 Medium
Description
The NSS LDAP service provides user mappings which are a vital component of system security. Communication between an LDAP server and a host using LDAP for NSS require authentication.
STIG Date
AIX 5.3 SECURITY TECHNICAL IMPLEMENTATION GUIDE 2014-10-03

Details

Check Text ( C-37919r1_chk )
Check if the system is using LDAP authentication.
#grep LDAP /etc/security/user
If no lines are returned, this vulnerability is not applicable.

Verify SSL is enabled.
#grep '^useSSL' /etc/security/ldap/ldap.cfg
If yes is not the returned value, this is a finding.

Verify a server certificate is required and verified by the LDAP configuration.
#grep -I '^ldapsslkeyf' /etc/security/ldap/ldap.cfg
Make note of the key database file location.

#gsk7cmd -cert -list CA -db -pw
Make note of the Key Label.
#gsk7cmd -cert -details -showOID -db -pw -label

THE IBM GSK Database should only have certificates for the client system and for the LDAP server.
If more certificates are in the key database than the LDAP server and the client, this is a finding.
Fix Text (F-33175r1_fix)
Install a certificate signed by a DoD PKI or a DoD-approved external PKI.

#gsk7cmd < or > ikeyman

Remove un-needed CA certificates.
#gsk7cmd < or > ikeyman