UCF STIG Viewer Logo

If the system is using LDAP for authentication or account information, the /etc/ldap.conf file (or equivalent) must not contain passwords.


Overview

Finding ID Version Rule ID IA Controls Severity
V-24384 GEN008050 SV-38968r1_rule IAIA-1 IAIA-2 Medium
Description
The authentication of automated LDAP connections between systems must not use passwords since more secure methods are available, such as PKI and Kerberos. Additionally, the storage of unencrypted passwords on the system is not permitted.
STIG Date
AIX 5.3 SECURITY TECHNICAL IMPLEMENTATION GUIDE 2014-10-03

Details

Check Text ( C-37921r1_chk )
Examine the LDAP configuration file(s).

#grep bindpwd: /etc/security/ldap/ldap.cfg
If the returned entry has an unencrypted password (not like "bindpwd:{DES}"), this is a finding.
If the LDAP configuration file contains an encrypted password accessible by regular users on the system, this is a finding.
#ls -l /etc/security/ldap/ldap.cfg

Check for unencrypted SSL keyfile password.
#grep '^ldapsslkeypwd' /etc/security/ldap/ldap.cfg
If the returned entry has an unencrypted password (not like "ldapsslkeypwd:{DES}"), this is a finding.
Fix Text (F-33177r1_fix)
Remove any passwords from LDAP configuration files.

The bindpw (bind password) can be encrypted with the mksecldap command.
#mksecldap

Stash the SSL key database file with the gsk7cmd or ikeyman commands.
#gsk7cmd < or > ikeyman

Comment out the ldapsslpwd line to use stashed password. The password stash file must reside in the same directory as the SSL key database, and must have the same name as the key database, but with an extension of .sth instead of .kdb.