Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The LDAP client must use a TLS connection using trust certificates signed by the site CA.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-38626 | RHEL-06-000253 | SV-50427r1_rule | Medium |
| Description |
|---|
| The tls_cacertdir or tls_cacertfile directives are required when tls_checkpeer is configured (which is the default for openldap versions 2.1 and up). These directives define the path to the trust certificates signed by the site CA. |
| STIG | Date |
|---|---|
| Red Hat Enterprise Linux 6 Security Technical Implementation Guide | 2015-05-26 |
Details
| Check Text ( C-46185r1_chk ) |
|---|
| If the system does not use LDAP for authentication or account information, this is not applicable. To ensure TLS is configured with trust certificates, run the following command: # grep cert /etc/pam_ldap.conf If there is no output, or the lines are commented out, this is a finding. |
| Fix Text (F-43575r1_fix) |
|---|
| Ensure a copy of the site's CA certificate has been placed in the file "/etc/pki/tls/CA/cacert.pem". Configure LDAP to enforce TLS use and to trust certificates signed by the site's CA. First, edit the file "/etc/pam_ldap.conf", and add or correct either of the following lines: tls_cacertdir /etc/pki/tls/CA or tls_cacertfile /etc/pki/tls/CA/cacert.pem Then review the LDAP server and ensure TLS has been configured. |