{"description": "Configure SSSD to demand a valid certificate from the server to\nprotect the integrity of LDAP remote access sessions by setting\nthe <pre>ldap_tls_reqcert</pre> option in <pre>/etc/sssd/sssd.conf</pre>\nto <tt>demand</tt>.", "rationale": "Without a valid certificate presented to the LDAP client backend, the identity of a\nserver can be forged compromising LDAP remote access sessions.", "severity": "medium", "references": {"nist": ["SC-12(3)", "CM-6(a)"], "srg": ["SRG-OS-000250-GPOS-00093"], "anssi": ["R67"]}, "control_references": {"anssi": ["R67"]}, "components": [], "identifiers": {}, "ocil_clause": "the TLS reqcert is not set to demand", "ocil": "To verify the LDAP client backend demands a valid certificate from the server in\nremote LDAP access sessions, run the following command:\n<pre>$ sudo grep ldap_tls_reqcert /etc/sssd/sssd.conf</pre>\nThe output should return the following:\n<pre>ldap_tls_reqcert = demand</pre>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": "sssd-ldap", "platforms": ["sssd-ldap"], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel", "package[sssd]"], "cpe_platform_names": ["sssd-ldap"], "inherited_cpe_platform_names": ["system_with_kernel", "package_sssd"], "bash_conditional": null, "fixes": {}, "title": "Configure SSSD LDAP Backend Client to Demand a Valid Certificate from the Server", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/rule.yml", "template": null}