LDAP authentication must be secured.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-222965	TCAT-AS-000690	SV-222965r879609_rule		High

Description
JNDIRealm is an implementation of the Tomcat Realm interface. Tomcat uses the JNDIRealm to look up users in an LDAP directory server. The realm's connection to the directory is defined by the 'connectionURL' configuration attribute. This attribute is usually an LDAP URL that specifies the domain name of the directory server to connect to. The LDAP URL does not provide encryption by default. This can lead to authentication credentials being transmitted across network connections in clear text. To address this risk, Tomcat must be configured to use secure LDAP (LDAPS).

Description

JNDIRealm is an implementation of the Tomcat Realm interface. Tomcat uses the JNDIRealm to look up users in an LDAP directory server. The realm's connection to the directory is defined by the 'connectionURL' configuration attribute. This attribute is usually an LDAP URL that specifies the domain name of the directory server to connect to. The LDAP URL does not provide encryption by default. This can lead to authentication credentials being transmitted across network connections in clear text. To address this risk, Tomcat must be configured to use secure LDAP (LDAPS).

STIG	Date
Apache Tomcat Application Server 9 Security Technical Implementation Guide	2023-12-18

Details

Check Text ( C-24637r426339_chk )
From the Tomcat server as a privileged user, run the following commands: sudo grep -i -A8 JNDIRealm $CATALINA_BASE/conf/server.xml If the JNDIRealm connectionURL setting is not configured to use LDAPS, if it does not exist, or is commented out, this is a finding. EXAMPLE: This is an example. Substitute localhost for the LDAP server IP and configure other LDAP-related settings as well. connectionURL="ldaps://localhost:686" ... />

Check Text ( C-24637r426339_chk )

From the Tomcat server as a privileged user, run the following commands:

sudo grep -i -A8 JNDIRealm $CATALINA_BASE/conf/server.xml

If the JNDIRealm connectionURL setting is not configured to use LDAPS, if it does not exist, or is commented out, this is a finding.

EXAMPLE:
This is an example. Substitute localhost for the LDAP server IP and configure other LDAP-related settings as well.

connectionURL="ldaps://localhost:686"
...
/>

Fix Text (F-24626r426340_fix)
Identify the server IP that is providing LDAP services and configure the Tomcat user roles schema within LDAP. Refer to the manager and host-manager web.xml files for application specific role information that can be used for setting up the roles for those applications. The default location for these files is: $CATALINA_BASE/webapps//WEB-INF/web.xml From the Tomcat server console as a privileged user, edit the $CATALINA_BASE/conf/server.xml file. Locate the element in the server.xml file, add a nested element using the JNDIRealm className and configure the associated LDAP settings as per the LDAP server connection requirements. EXAMPLE: This is for illustration purposes only. The user must modify the LDAP settings on a case by case basis as per your individual LDAP server and schema. connectionURL="ldaps://localhost:686" userPattern="uid={0},ou=people,dc=myunit,dc=mil" roleBase="ou=groups,dc=myunit,dc=mil" roleName="cn" roleSearch="(uniqueMember={0})" />

Fix Text (F-24626r426340_fix)

Identify the server IP that is providing LDAP services and configure the Tomcat user roles schema within LDAP. Refer to the manager and host-manager web.xml files for application specific role information that can be used for setting up the roles for those applications. The default location for these files is: $CATALINA_BASE/webapps//WEB-INF/web.xml

From the Tomcat server console as a privileged user, edit the $CATALINA_BASE/conf/server.xml file.

Locate the element in the server.xml file, add a nested element using the JNDIRealm className and configure the associated LDAP settings as per the LDAP server connection requirements.

EXAMPLE:
This is for illustration purposes only. The user must modify the LDAP settings on a case by case basis as per your individual LDAP server and schema.

connectionURL="ldaps://localhost:686"
userPattern="uid={0},ou=people,dc=myunit,dc=mil"
roleBase="ou=groups,dc=myunit,dc=mil"
roleName="cn"
roleSearch="(uniqueMember={0})"
/>