Skip to content

Configure SSSD LDAP Backend Client to Demand a Valid Certificate from the Server

An XCCDF Rule

Description

Configure SSSD to demand a valid certificate from the server to protect the integrity of LDAP remote access sessions by setting the

ldap_tls_reqcert
option in
/etc/sssd/sssd.conf
to demand.

Rationale

Without a valid certificate presented to the LDAP client backend, the identity of a server can be forged compromising LDAP remote access sessions.

ID
xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_reqcert
Severity
Medium
References
Updated



Remediation - Ansible

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - DISA-STIG-OL07-00-040190
  - NIST-800-53-CM-6(a)

Remediation - Shell Script

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q sssd-common; then

SSSD_CONF="/etc/sssd/sssd.conf"
LDAP_REGEX='[[:space:]]*\[domain\/[^]]*]([^(\n)]*(\n)+)+?[[:space:]]*ldap_tls_reqcert'
AD_REGEX='[[:space:]]*\[domain\/[^]]*]([^(\n)]*(\n)+)+?[[:space:]]*id_provider[[:space:]]*=[[:space:]]*((?i)ad)[[:space:]]*$'