UCF STIG Viewer Logo

IF LDAP is used, AIX LDAP client must use SSL to authenticate with LDAP server.


Overview

Finding ID Version Rule ID IA Controls Severity
V-215204 AIX7-00-001045 SV-215204r508663_rule High
Description
While LDAP client's authentication type is ldap_auth (server-side authentication), the client sends password to the server in clear text for authentication. SSL must be used in this case.
STIG Date
IBM AIX 7.x Security Technical Implementation Guide 2022-06-06

Details

Check Text ( C-16402r294063_chk )
Run the following command to check if "authtype" is "ldap_auth":
# grep -iE "^authtype:[[:blank:]]*ldap_auth" /etc/security/ldap/ldap.cfg

The above command should yield the following output:
authtype:ldap_auth

Run the following command to check if SSL is not used in the "/etc/security/ldap/ldap.cfg" file:
# grep -iE "^useSSL:[[:blank:]]*yes" /etc/security/ldap/ldap.cfg

The above command should yield the following output:
useSSL:yes

If the first command displays "authtype:ldap_auth" but the second command does not display "useSSL:yes", this is a finding.
Fix Text (F-16400r294064_fix)
Edit the "/etc/security/ldap/ldap.cfg" file to have the following line:
useSSL:yes

Configure the LDAP server and LDAP client to use the SSL according to AIX LDAP documentation.

Restart the client daemon:
# restart-secldapclntd