Title

IF LDAP is used, AIX LDAP client must use SSL to authenticate with LDAP server. (Cat I impact)

Discussion

While LDAP client's authentication type is ldap_auth (server-side authentication), the client sends password to the server in clear text for authentication. SSL must be used in this case.

Check Content

Run the following command to check if "authtype" is "ldap_auth": # grep -iE "^authtype:[[:blank:]]*ldap_auth" /etc/security/ldap/ldap.cfg The above command should yield the following output: authtype:ldap_auth Run the following command to check if SSL is not used in the "/etc/security/ldap/ldap.cfg" file: # grep -iE "^useSSL:[[:blank:]]*yes" /etc/security/ldap/ldap.cfg The above command should yield the following output: useSSL:yes If the first command displays "authtype:ldap_auth" but the second command does not display "useSSL:yes", this is a finding.

Fix Text

Edit the "/etc/security/ldap/ldap.cfg" file to have the following line: useSSL:yes Configure the LDAP server and LDAP client to use the SSL according to AIX LDAP documentation. Restart the client daemon: # restart-secldapclntd

Additional Identifiers

Rule ID: SV-215204r877396_rule

Vulnerability ID: V-215204

Group Title: SRG-OS-000074-GPOS-00042

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.