The FortiGate device must use LDAPS for the LDAP connection.

An XCCDF Rule

Description

<VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Network devices can accomplish this by making direct function calls to encryption modules or by leveraging operating system encryption capabilities.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-234208r879609_rule
Severity: High
References: CCI-000197
Updated: about 1 year ago

Log in to the FortiGate GUI with Super-Admin privilege.

1. Open a CLI console, via SSH or available from the GUI.
2. Run the following command:
     # config user ldap
           # edit {ldap_server_name}           # set server {server_ip}
           # set cnid {cn} 
           # set dn {dc=XYZ,dc=fortinet,dc=COM} 
           # set type regular 
           # set username {cn=Administrator,dc=XYA, dc=COM} 
           # set password {bind password}
           # set secure ldaps
           #    set ca-cert {CA certificate name}
      # next 
  # end

The FortiGate device must use LDAPS for the LDAP connection.

Description

Remediation - Manual Procedure