{"description": "This check verifies cryptography has been implemented\nto protect the integrity of remote LDAP authentication sessions.\n<br /><br />\nTo determine if LDAP is being used for authentication, use the following\ncommand:\n<pre>$ sudo grep -i useldapauth /etc/sysconfig/authconfig</pre>\n<br /><br />\nIf <tt>USELDAPAUTH=yes</tt>, then LDAP is being used. To check if LDAP is\nconfigured to use TLS, use the following command:\n<pre>$ sudo grep -i ssl /etc/pam_ldap.conf</pre>", "rationale": "Without cryptographic integrity protections, information can be altered by\nunauthorized users without detection. The ssl directive specifies whether\nto use TLS or not. If not specified it will default to no. It should be set\nto start_tls rather than doing LDAP over SSL.", "severity": "medium", "references": {"cis-csc": ["11", "12", "14", "15", "3", "8", "9"], "cobit5": ["APO13.01", "BAI10.01", "BAI10.02", "BAI10.03", "BAI10.05", "DSS01.04", "DSS05.02", "DSS05.03", "DSS05.05", "DSS06.06"], "isa-62443-2009": ["4.3.3.5.1", "4.3.3.5.2", "4.3.3.5.3", "4.3.3.5.4", "4.3.3.5.5", "4.3.3.5.6", "4.3.3.5.7", "4.3.3.5.8", "4.3.3.6.1", "4.3.3.6.2", "4.3.3.6.3", "4.3.3.6.4", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.3.6.9", "4.3.3.7.1", "4.3.3.7.2", "4.3.3.7.3", "4.3.3.7.4", "4.3.4.3.2", "4.3.4.3.3"], "isa-62443-2013": ["SR 1.1", "SR 1.10", "SR 1.11", "SR 1.12", "SR 1.13", "SR 1.2", "SR 1.3", "SR 1.4", "SR 1.5", "SR 1.6", "SR 1.7", "SR 1.8", "SR 1.9", "SR 2.1", "SR 2.2", "SR 2.3", "SR 2.4", "SR 2.5", "SR 2.6", "SR 2.7", "SR 3.1", "SR 3.5", "SR 3.8", "SR 4.1", "SR 4.3", "SR 5.1", "SR 5.2", "SR 5.3", "SR 7.1", "SR 7.6"], "iso27001-2013": ["A.11.2.6", "A.12.1.2", "A.12.5.1", "A.12.6.2", "A.13.1.1", "A.13.2.1", "A.14.1.3", "A.14.2.2", "A.14.2.3", "A.14.2.4", "A.6.2.1", "A.6.2.2", "A.9.1.2"], "nist": ["AC-17(a)", "AC-17(2)", "CM-6(a)", "SC-12(a)", "SC-12(b)"], "nist-csf": ["PR.AC-3", "PR.IP-1", "PR.PT-3", "PR.PT-4"], "srg": ["SRG-OS-000250-GPOS-00093"], "anssi": ["R67"]}, "control_references": {"anssi": ["R67"]}, "components": [], "identifiers": {}, "ocil_clause": "LDAP is not in use, the line is commented out, or not configured correctly", "ocil": "To ensure LDAP is configured to use TLS for all transactions, run the following command:\n<pre>$ grep start_tls /etc/pam_ldap.conf</pre>\nThe result should contain:\n<pre>ssl start_tls</pre>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": "package[nss-pam-ldapd]", "platforms": ["package[nss-pam-ldapd]"], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": ["package_nss-pam-ldapd"], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Configure LDAP Client to Use TLS For All Transactions", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/services/ldap/openldap_client/ldap_client_start_tls/rule.yml", "template": null}