Title

If the system is using LDAP for authentication or account information, the system must verify the LDAP server's certificate has not been revoked. (Cat II impact)

Discussion

LDAP can be used to provide user authentication and account information, which are vital to system security. Communication between an LDAP server and a host using LDAP requires authentication.

Check Content

Determine if the system uses LDAP. If it does not, this is not applicable. # swlist | grep LDAP OR # cat /etc/nsswitch.conf | tr '\011' ' ' | tr -s ' ' | sed -e 's/^[ \t]*//' | grep -v "^#" | grep -i ldap If no lines are returned for either of the above commands, this vulnerability is not applicable. Verify the LDAP client is configured to check certificates against a certificate revocation list. # cat /etc/ldap.conf | tr '\011' ' ' | tr -s ' ' | sed -e 's/^[ \t]*//' | grep -v "^#" | \ grep -i "^tls_crlcheck" If the setting does not exist, or the value is not all, this is a finding.

Fix Text

Edit /etc/ldap.conf and add or set the tls_crlcheck setting to all.

Additional Identifiers

Rule ID: SV-38382r1_rule

Vulnerability ID: V-22558

Group Title: GEN008040

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.