Title

If the system is using LDAP for authentication or account information, the LDAP TLS connection must require the server provide a certificate and this certificate has a valid trust path to a trusted CA. (Cat II impact)

Discussion

The NSS LDAP service provides user mappings which are a vital component of system security. Communication between an LDAP server and a host using LDAP for NSS require authentication.

Check Content

Determine if the system uses LDAP. If it does not, this is not applicable. # swlist | grep LDAP OR # cat /etc/nsswitch.conf | tr '\011' ' ' | tr -s ' ' | sed -e 's/^[ \t]*//' | grep -v "^#" | grep -i ldap If no lines are returned for either of the above commands, LDAP is not installed and this is not applicable. If the LDAP product is installed: # cat /etc/opt/ldapux/ldapux_client.conf | tr '\011' ' ' | tr -s ' ' | sed -e 's/^[ \t]*//' | grep -v "^#" | grep -i peer_cert_policy If /etc/opt/ldapux/ldapux_client.conf setting is peer_cert_policy=WEAK, this is a finding.

Fix Text

Edit /etc/opt/ldapux/ldapux_client.conf and set # Perform the CERT check peer_cert_policy=CERT OR # Perform the CERT check PLUS peer_cert_policy=CNCERT

Additional Identifiers

Rule ID: SV-38381r1_rule

Vulnerability ID: V-22557

Group Title: GEN008020

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.