From AIX 6.1 SECURITY TECHNICAL IMPLEMENTATION GUIDE
Part of GEN008050
Associated with IA controls: IAIA-2, IAIA-1
Associated with: CCI-000196
The authentication of automated LDAP connections between systems must not use passwords since more secure methods are available, such as PKI and Kerberos. Additionally, the storage of unencrypted passwords on the system is not permitted.
Examine the LDAP configuration file(s). #grep bindpwd: /etc/security/ldap/ldap.cfg If the returned entry has an unencrypted password (not like "bindpwd:{DES}"), this is a finding. If the LDAP configuration file contains an encrypted password accessible by regular users on the system, this is a finding. #ls -l /etc/security/ldap/ldap.cfg Check for unencrypted SSL keyfile password. #grep '^ldapsslkeypwd' /etc/security/ldap/ldap.cfg If the returned entry has an unencrypted password (not like "ldapsslkeypwd:{DES}"), this is a finding.
Remove any passwords from LDAP configuration files. The bindpw (bind password) can be encrypted with the mksecldap command. #mksecldap Stash the SSL key database file with the gsk7cmd or ikeyman commands. #gsk7cmd < or > ikeyman Comment out the ldapsslpwd line to use stashed password. The password stash file must reside in the same directory as the SSL key database, and must have the same name as the key database, but with an extension of .sth instead of .kdb.
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer