Navigate

Check: GEN008020

VMware ESX 3 Server: GEN008020 (in version v1 r2)

Title

If the system is using LDAP for authentication or account information, the LDAP TLS connection must require the server provides a certificate and this certificate has a valid trust path to a trusted CA. (Cat II impact)

Discussion

The NSS LDAP service provides user mappings which are a vital component of system security. Communication between an LDAP server and a host using LDAP for NSS require authentication.

Check Content

Check if the system is using NSS LDAP. # grep -v '^#' /etc/nsswitch.conf | grep ldap If no lines are returned, this vulnerability is not applicable. Verify a server certificate is required and verified by the NSS LDAP configuration. # grep -i '^tls_checkpeer' /etc/ldap.conf If no line is returned, or the value is not yes, this is a finding.

Fix Text

Edit /etc/ldap.conf and add or set the tls_checkpeer setting to yes.

Additional Identifiers

Rule ID: SV-26943r1_rule

Vulnerability ID: V-22557

Group Title: GEN008020

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-000185	The information system, for PKI-based authentication, validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
IA-5 (2)	Pki-Based Authentication