Title

LDAP Authentication must use authentication when connecting to LDAPv3. (Cat II impact)

Discussion

When configuring LDAPv3, do not add DHCP-supplied LDAP servers to automatic search policies if the network the computer is running on is not secure. If the network is unsecure, someone can create a rogue DHCP. Use authentication when connecting to LDAPv3 directories; disable clear text passwords for all LDAPv3 directories; digitally sign all LDAPv3 packets (requires Kerberos); encrypt all LDAPv3 packets (requires SSL or Kerberos); and block man-in-the-middle attacks (requires Kerberos).

Check Content

Open Finder. Click the Hard Drive icon. Double Click System. Double Click Library. Double Click CoreServices. Double Click Directory Utility. Click the Show Advanced Options button. Click Services tab. Click the Lock and enter the password to unlock the options (if needed). Click the LDAPv3 service. Click the Pencil icon. Highlight the Server Name/Configuration Name. Click Edit. Click the Security tab and verify the "Use authentication when connecting" is checked. If option is not checked, this is a finding.

Fix Text

Open Finder. Click the Hard Drive icon. Double Click System. Double Click Library. Double Click CoreServices. Double Click Directory Utility. Click the Show Advanced Options button. Click Services tab. Click the Lock and enter the password to unlock the options (if needed). Click the LDAPv3 service. Click the Pencil icon. Highlight the Server Name/Configuration Name. Click Edit. Click on Security tab and select "Use authentication when connecting".

Additional Identifiers

Rule ID: SV-38516r1_rule

Vulnerability ID: V-25264

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.