If the system is using LDAP for authentication or account information, the LDAP TLS connection must require the server provide a certificate and this certificate has a valid trust path to a trusted CA.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-22557	GEN008020	SV-38381r1_rule	DCNR-1	Medium

Description
The NSS LDAP service provides user mappings which are a vital component of system security. Communication between an LDAP server and a host using LDAP for NSS require authentication.

STIG	Date
HP-UX 11.31 Security Technical Implementation Guide	2018-03-01

Details

Check Text ( C-36762r1_chk )
Determine if the system uses LDAP. If it does not, this is not applicable. # swlist \| grep LDAP OR # cat /etc/nsswitch.conf \| tr '\011' ' ' \| tr -s ' ' \| sed -e 's/^[ \t]//' \| grep -v "^#" \| grep -i ldap If no lines are returned for either of the above commands, LDAP is not installed and this is not applicable. If the LDAP product is installed: # cat /etc/opt/ldapux/ldapux_client.conf \| tr '\011' ' ' \| tr -s ' ' \| sed -e 's/^[ \t]//' \| grep -v "^#" \| grep -i peer_cert_policy If /etc/opt/ldapux/ldapux_client.conf setting is peer_cert_policy=WEAK, this is a finding.

Check Text ( C-36762r1_chk )

Determine if the system uses LDAP. If it does not, this is not applicable.
# swlist | grep LDAP
OR
# cat /etc/nsswitch.conf | tr '\011' ' ' | tr -s ' ' | sed -e 's/^[ \t]*//' | grep -v "^#" | grep -i ldap

If no lines are returned for either of the above commands, LDAP is not installed and this is not applicable.

If the LDAP product is installed:
# cat /etc/opt/ldapux/ldapux_client.conf | tr '\011' ' ' | tr -s ' ' | sed -e 's/^[ \t]*//' | grep -v "^#" | grep -i peer_cert_policy

If /etc/opt/ldapux/ldapux_client.conf setting is peer_cert_policy=WEAK, this is a finding.

Fix Text (F-32145r1_fix)
Edit /etc/opt/ldapux/ldapux_client.conf and set # Perform the CERT check peer_cert_policy=CERT OR # Perform the CERT check PLUS peer_cert_policy=CNCERT