{"description": "Ensure a copy of a trusted CA certificate has been placed in the file\n<tt>/etc/pki/tls/CA/cacert.pem</tt>. Configure LDAP to enforce TLS use and\nto trust certificates signed by that CA. First, edit the file\n<tt>/etc/nslcd.conf</tt>, and add or correct either of the following lines:\n<pre>tls_cacertdir /etc/pki/tls/CA</pre> or \n<pre>tls_cacertfile /etc/pki/tls/CA/cacert.pem</pre>\nThen review the LDAP server and ensure TLS has been configured.", "rationale": "The tls_cacertdir or tls_cacertfile directives are required when\ntls_checkpeer is configured (which is the default for openldap versions 2.1 and\nup). These directives define the path to the trust certificates signed by the\nsite CA.", "severity": "medium", "references": {"cis-csc": ["11", "14", "3", "9"], "cobit5": ["BAI10.01", "BAI10.02", "BAI10.03", "BAI10.05", "DSS05.02", "DSS05.05", "DSS06.06"], "isa-62443-2009": ["4.3.3.5.1", "4.3.3.5.2", "4.3.3.5.3", "4.3.3.5.4", "4.3.3.5.5", "4.3.3.5.6", "4.3.3.5.7", "4.3.3.5.8", "4.3.3.6.1", "4.3.3.6.2", "4.3.3.6.3", "4.3.3.6.4", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.3.6.9", "4.3.3.7.1", "4.3.3.7.2", "4.3.3.7.3", "4.3.3.7.4", "4.3.4.3.2", "4.3.4.3.3"], "isa-62443-2013": ["SR 1.1", "SR 1.10", "SR 1.11", "SR 1.12", "SR 1.13", "SR 1.2", "SR 1.3", "SR 1.4", "SR 1.5", "SR 1.6", "SR 1.7", "SR 1.8", "SR 1.9", "SR 2.1", "SR 2.2", "SR 2.3", "SR 2.4", "SR 2.5", "SR 2.6", "SR 2.7", "SR 7.6"], "iso27001-2013": ["A.12.1.2", "A.12.5.1", "A.12.6.2", "A.14.2.2", "A.14.2.3", "A.14.2.4", "A.9.1.2"], "nist": ["CM-6(a)"], "nist-csf": ["PR.IP-1", "PR.PT-3"], "anssi": ["R67"]}, "control_references": {"anssi": ["R67"]}, "components": [], "identifiers": {}, "ocil_clause": "LDAP is not in use, the line is commented out, or not configured correctly", "ocil": "To ensure TLS is configured with trust certificates, run the following command:\n<pre>$ grep cert /etc/nslcd.conf</pre>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": "package[nss-pam-ldapd]", "platforms": ["package[nss-pam-ldapd]"], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": ["package_nss-pam-ldapd"], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Configure Certificate Directives for LDAP Use of TLS", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/services/ldap/openldap_client/ldap_client_tls_cacertpath/rule.yml", "template": null}