UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

LDAP authentication must be secured.


Overview

Finding ID Version Rule ID IA Controls Severity
V-222965 TCAT-AS-000690 SV-222965r557518_rule High
Description
JNDIRealm is an implementation of the Tomcat Realm interface. Tomcat uses the JNDIRealm to look up users in an LDAP directory server. The realm's connection to the directory is defined by the 'connectionURL' configuration attribute. This attribute is usually an LDAP URL that specifies the domain name of the directory server to connect to. The LDAP URL does not provide encryption by default. This can lead to authentication credentials being transmitted across network connections in clear text. To address this risk, Tomcat must be configured to use secure LDAP (LDAPS).
STIG Date
Apache Tomcat Application Sever 9 Security Technical Implementation Guide 2020-09-23

Details

Check Text ( C-24637r426339_chk )
From the Tomcat server as a privileged user, run the following commands:

sudo grep -i -A8 JNDIRealm $CATALINA_BASE/conf/server.xml

If the JNDIRealm connectionURL setting is not configured to use LDAPS, if it does not exist, or is commented out, this is a finding.

EXAMPLE:
This is an example. Substitute localhost for the LDAP server IP and configure other LDAP-related settings as well.

connectionURL="ldaps://localhost:686"
...
/>
Fix Text (F-24626r426340_fix)
Identify the server IP that is providing LDAP services and configure the Tomcat user roles schema within LDAP. Refer to the manager and host-manager web.xml files for application specific role information that can be used for setting up the roles for those applications. The default location for these files is: $CATALINA_BASE/webapps//WEB-INF/web.xml

From the Tomcat server console as a privileged user, edit the $CATALINA_BASE/conf/server.xml file.

Locate the element in the server.xml file, add a nested element using the JNDIRealm className and configure the associated LDAP settings as per the LDAP server connection requirements.

EXAMPLE:
This is for illustration purposes only. The user must modify the LDAP settings on a case by case basis as per your individual LDAP server and schema.

connectionURL="ldaps://localhost:686"
userPattern="uid={0},ou=people,dc=myunit,dc=mil"
roleBase="ou=groups,dc=myunit,dc=mil"
roleName="cn"
roleSearch="(uniqueMember={0})"
/>