Re: Center for Internet Security benchmark for OpenLDAP

["matthew sporleder" <msporleder@gmail.com>]

On 9/28/07, Howard Chu <hyc@symas.com> wrote:
> Buchan Milne wrote:
> > On Thursday 27 September 2007 20:09:19 Howard Chu wrote:
> >>> Unfortunately, they show configuration for slurpd in their section
> >>> on "Redundant LDAP Servers".
> >>>
> >>> I wonder if it is worthwhile providing CIS with feedback?
> >> Now that you've pointed it out, I went and downloaded it. I find the
> >> quality of the editing of this document to be pretty abysmal, but the
> >> factual content is at least fixable. I'll be sending some feedback to the
> >> editor shortly.
> >>
> >> As usual, if you want to know "best practices", the best way to get that is
> >> just to ask us or read the docs we've already written...
> >
> > Indeed, but unfortunately our esteemed security group bases their security
> > standards on the CIS benchmarks (usually their changes reduce the technical
> > quality at the expense of formatting etc.), so I suspect at some stage I'll
> > be getting questions about an OpenLDAP standard (and I'll probably have to
> > fix it up more than I have the Linux one ...).
>
> Understood. As Tony pointed out, when I said "when you want to know" I of course
> meant "when one wants to know" because obviously you, Buchan, already know what
> you're doing.
>
> For anyone curious, here's their document as plaintext with my commentary inserted.
>
> Howard Chu wrote:
>  > You really ought to run articles like this by us before publishing, to be sure
>  > you've got all the facts correct.
>  >
>  >> Center for Internet Security Benchmark for OpenLDAP v1.0
>  >
>  >>  Introduction LDAP stands for Lightweight Directory Access Protocol defined
>  >> in RFC 2251 and others and is based on X.500 directory services. LDAP
>  >> servers are very popular including commercial servers such as Microsoft
>  >> Active Directory, IBM Tivoli Directory Server, Novell eDirectory, and Sun
>  >> Java System Directory Server. OpenLDAP is the most popular of the open
>  >> source LDAP servers. LDAP servers are just one part of a typical network
>  >> infrastructure, and their security depends in part on the security of the
>  >> rest of the infrastructure. However this benchmark will focus primarily on
>  >> the secure configuration of the OpenLDAP server.
>  >>
>  >> Applicability
>  >> The benchmark was developed and tested using OpenLDAP version
>  >> 2.3 on Fedcora Core 6, however most of the content will apply to other
...

Thanks for reproducing this document.  I'm glad I didn't fill anything
out to download it.

Am I the only one who noticed this:
<quote>
What is the Benchmark?
The Benchmark is a compilation of security configuration actions and
settings that "harden" MySQL databases.  It recommends Level 1
Benchmark guidance, representing the prudent level of minimum due care
for operating system security.
</quote>
?

>From this example, I would have to recommend strongly against
following the advice of this site.