Skip to content

Configure SSSD LDAP Backend to Use TLS For All Transactions

An XCCDF Rule

Description

The LDAP client should be configured to implement TLS for the integrity of all remote LDAP authentication sessions. If the id_provider is set to ldap or ipa in /etc/sssd/sssd.conf or any of the /etc/sssd/sssd.conf.d configuration files, ldap_id_use_start_tls must be set to true.

To check if LDAP is configured to use TLS when id_provider is set to ldap or ipa, use the following command:

$ sudo grep -i ldap_id_use_start_tls /etc/sssd/sssd.conf

Rationale

Without cryptographic integrity protections, information can be altered by unauthorized users without detection. The ssl directive specifies whether to use TLS or not. If not specified it will default to no. It should be set to start_tls rather than doing LDAP over SSL.

ID
xccdf_org.ssgproject.content_rule_sssd_ldap_start_tls
Severity
High
References
Updated



Remediation - Ansible

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - DISA-STIG-OL07-00-040180
  - NIST-800-53-CM-6(a)

Remediation - Shell Script

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q sssd-common; then

SSSD_CONF="/etc/sssd/sssd.conf"
LDAP_REGEX='[[:space:]]*\[domain\/[^]]*]([^(\n)]*(\n)+)+?[[:space:]]*ldap_id_use_start_tls'
AD_REGEX='[[:space:]]*\[domain\/[^]]*]([^(\n)]*(\n)+)+?[[:space:]]*id_provider[[:space:]]*=[[:space:]]*((?i)ad)[[:space:]]*$'