← Back to IBM AIX 7.x Security Technical Implementation Guide

V-215204

CAT I (High)

IF LDAP is used, AIX LDAP client must use SSL to authenticate with LDAP server.

Rule ID

SV-215204r987796_rule

STIG

IBM AIX 7.x Security Technical Implementation Guide

Version

V3R2

CCIs

CCI-000197

Discussion

While LDAP client's authentication type is ldap_auth (server-side authentication), the client sends password to the server in clear text for authentication. SSL must be used in this case.

Check Content

Run the following command to check if "authtype" is "ldap_auth":
# grep -iE "^authtype:[[:blank:]]*ldap_auth" /etc/security/ldap/ldap.cfg

The above command should yield the following output:
authtype:ldap_auth

Run the following command to check if SSL is not used in the "/etc/security/ldap/ldap.cfg" file:
# grep -iE "^useSSL:[[:blank:]]*yes" /etc/security/ldap/ldap.cfg

The above command should yield the following output:
useSSL:yes

If the first command displays "authtype:ldap_auth" but the second command does not display "useSSL:yes",  this is a finding.

Fix Text

Edit the "/etc/security/ldap/ldap.cfg" file to have the following line:
useSSL:yes

Configure the LDAP server and LDAP client to use the SSL according to AIX LDAP documentation.

Restart the client daemon:
# restart-secldapclntd