UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

If the system is using LDAP for authentication or account information, the system must use a TLS connection using FIPS 140-2 approved cryptographic algorithms.


Overview

Finding ID Version Rule ID IA Controls Severity
V-38625 RHEL-06-000252 SV-50426r2_rule Medium
Description
The LDAP server will use unencrypted connections by default. If the LDAP daemon is not configured to use” ldaps:///”, all communications between the client and the server will not be encrypted. The LDAP server should be configured to use “ldaps:///” over the default “ldap:///”.
STIG Date
Red Hat Enterprise Linux 6 Security Technical Implementation Guide 2016-06-05

Details

Check Text ( C-46184r2_chk )
If the system does not use LDAP for authentication or account information, this is not applicable.

To ensure LDAP is configured to use TLS for all transactions, run the following command:

# ps –ef | grep “slapd”

If the LDAP daemon is not using “ldaps:///”, this is a finding.

If the LDAP daemon is using “ldap:///”, this is a finding.

Verify that the LDAP client cannot connect using an unencrypted method.
# openssl s_client –connect [HOST]:389

If the following line is not returned, this is a finding:
Socket: Connection refused.

Note: The default port for unencrypted LDAP connections is 389.
Fix Text (F-43574r2_fix)
Configure the LDAP server to enforce TLS use.